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1  Terms  and  types 
1.1  General  notations 


We  assume  known  elementary  set  theory  and  algebra.  .Af  is  the  set  {0, 1, ...)  of  natural  numbers, 
Af+  the  set  of  positive  natural  numbers.  We  shall  identic  the  natural  n  with  the  set  {0,...,n  -  1}, 
and  thus  0  is  also  the  empty  set  0.  F/very  finite  set  5  islisomorphic  to  n,  with  n  the  cardinal  of  5, 
denoted  n  =  |S|.  If  A  and  B  are  sets,  we  write  A  —  B,ot  sometimes  for  the  set  of  functions 
with  domain  A  and  codomain  B.  ■  , 


1.2  Languages,  concrete  syntax 


(-)  C- 


Let  L  be  a  finite  alphabet.  A  string  u  of  length  n  is  a  function  in  n  -»  S.  The  set  of  all  strings 
over  £  is 

£*  =  U  £". 

neAT 

We  write  |u|  for  the  length  n  of  u.  We  write  u,-  for  u(i  —  1),  when  i  <  n.  The  null  string,  unique 
element  of  £*’,  is  denoted  A.  The  unit  string  mapping  1  to  a  E  £  is  denoted  “a".  The  concatenation 
of  strings  u  and  v,  defined  in  the  usual  fashion,  is  denoted  u  *  v,  and  when  there  is  no  ambiguity 
we  write  e.g.  “o6c”  for  “o”  “  “6”  *  “c”.  When  u  6  £*  and  o  €  £,  we  write  u  •  o  for  u  '  “o”.  We 
define  tm  ordering  <  on  £*,  called  the  prefix  ordering,  by 


U  <  B  3tO  V  =  V  ~  w. 


If  u  <  B,  the  residual  w  is  unique,  and  we  write  w  =  b/u.  We  say  that  strings  u  and  b  are  disjoint, 
and  we  write  u|b,  iff  u  and  b  are  unrelated  by  the  partial  ordering  <.  Finally  we  let  u  <  v  iff  u  <  v 
with  u  /  V. 

The  set  £*  has  the  structure  of  a  monoid,  that  is; 

Ass  :  (u  ■  b)  ■  tB  =  u  “  (b  “  id) 

/d£  :  A  *  u  =  u 
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IdR  ;  u  *  A  =  tt. 

Actually,  S*  is  the  free  monoid  generated  by  E. 

Examples. 

1.  E  =  0.  We  get  E'  =  1. 

2.  E  =  1.  We  get  E*  =  Af.  Strings  are  here  natural  numbers  in  unary  notation,  and 
concatenation  corresponds  to  addition. 

3.  E  =  2  =  {0, 1}  (the  Booleans).  The  set  E*  is  the  set  of  all  binary  words. 

4.  E  =  A/+.  We  call  the  elements  of  E*  occurrences.  When  u  =  w  -m  and  v  =  ui  • »,  with 
m  <  n,  we  say  that  u  is  left  of  v,  and  write  u  v- 

1.3  Terms:  abstract  syntsuc 

We  first  define  a  tree  domain  as  a  subset  D  of  A/]p  closed  under  <  and  <r,: 

u6D  A  u<a  ^  V  £  D 
ue  D  A  u<i,u  ^  ve  D. 

We  say  that  Af  is  a  E-tree  iff  Af  e  Z>  ->  E,  for  some  tree  domain  D.  We  define  D(M)  as  D,  and 
we  say  that  D(M)  is  the  set  of  occurrences  in  Af.  Af  is  said  to  be  finite  whenever  D(M)  is,  which 
we  shall  assume  in  the  foUowing. 

We  shall  now  use  occurrences  to  designate  nodes  of  a  tree,  and  the  subtree  starting  at  that 
node.  If  u  €  D(M),  we  define  the  E-tree  Af/u  as  mapping  occurrence  v  to  Af(u  *  v).  We  say  that 
Af/«  is  the  si  subtree  of  Af  at  occurrence  tt.  If  Ai  is  also  a  E-tree,  we  define  the  graft  Af  [u  A] 
as  the  E-tree  mapping  v  to  N{w)  whenever  v  =  ti  *  to  with  to  e  D{N),  and  to  Af(i))  if  v  6  D{M) 
and  not  u  <  ti. 

We  need  one  auxiliary  notion,  that  of  width  of  a  tree.  If  Af  €  E*,  we  define  the  (top)  width  of 
Af  as 

||Af||  =  max{n  |  “n”  e  i?(Af)}. 

We  shall  now  consider  E  a  graded  alphabet,  that  is  given  with  an  ority  function  a  in  E  ->  Af.  We 
then  say  that  Af  is  a  E-term  iff  Af  is  a  E-tree  verifying  the  supplementary  consistency  condition: 

Vtte£>(Af)  ||Af/tt|l  =  o(Af(u)). 

That  is,  every  subtree  of  Af  is  of  the  form  F(Afi,Afj,...,  Af„),  with  n  =  a(F).  We  write 
r(E)  for  the  set  of  E-terms.  If  €  T(E)  and  F  E  E,  with  a(F)  =  n,  then 

Af  =  F(Afi,Af],...Afn)iseasily  defined  asaE-term.  This  gives  r(E)  the  structure  of  a  E-algebra. 
Since  conversely  the  decomposition  of  Af  is  uniquely  determined,  we  call  T(E)  the  completely  free 
E- algebra. 

Example 

With  E  =  {-f,5,0},  a(-f)  =  2,  a(S)  =  1,  a(0)  =  0,  the  following  structure  represents  a  E-term: 
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The  following  proposition  is  easy  to  prove  by  induction.  All  occunences  are  supposed  to  be 
universally  quantified  in  the  relevant  tree  domsun. 

Proposition  1. 

Embedding  :  Af  [ti «-  Ar]/(u  *  »)  =  N/v 
Associativity  :  Af  [«  <-  Af] [u  *  P]  =  Af  [u  «-  JV[t»  <—  P]] 

Persistence  :  Af  In  •—  Nl/v  =  M/v  (tt|n) 

Commutativity  :  Af  [u  <—  JVJ  [o  ♦-  P]  =  Af  [«  i-  P]  [u  «-  JV]  (u|t)) 

Distributivity  :  Aflu  *-  NZ/o  =  {M/v)lu/v  *-  NZ  (»  S  u) 

Dominance  :  Mlu  •- NZlv  PZ  =  Af  [o  •- P]  (»  <  u). 

We  define  the  length  |Af|  of  a  (finite)  term  Af  recursively  by: 

|P(Af„...,Af,)|  =  l  +  S?=,lAfil. 


1.4  Parsing 

It  is  well-known  that  the  term  in  the  example  above  can  be  represented  unaimbiguously  as  a 
D-string,  for  instance  in  prefix  polish  notation,  that  is  here;  +  +  OSOSSO.  This  result  is  not 
very  interesting;  such  strings  are  neither  good  notations  for  humans,  nor  good  representations 
for  computers,  since  the  graft  operation  necessitates  unnecessary  copying.  We  shall  discuss  later 
better  machine  representations,  using  binary  graphs.  As  far  as  human  readibillty  is  concerned,  we 
assume  known  parsing  techniques.  This  permits  to  represent  terms,  on  an  extended  alphabet  with 
parentheses  and  commas,  which  is  closer  to  standard  mathematical  practice.  Also,  infix  notation 
and  indentation  permit  to  (ceep  in  the  string  some  of  the  tree  structure  more  apparent.  We  shall 
not  make  explicit  the  exact  representation  grammar,  and  allow  ourselves  to  write  freely  for  instance  O 
(0  +  5(0))  -h  5(5(0)).  Note  that  we  avoid  explidt  quotes  as  well,  which  permits  us  to  mix  freely 
metar variables  with  object  structures,  like  in  5(Af ),  where  Af  is  a  meta- variable  denoting  a  E-term. 

1.5  Terms  with  variables,  substitution 

The  idea  is  to  internalize  the  notation  5(Af)  above  as  a  term  5(z)  over  an  extended  alphabet 
containing  special  symbols  of  arity  0  called  variables.  Such  terms  with  variables  tire  thus  polynomial 
expressions,  in  the  case  of  completely  free  operators.  - 

or 

3  »l3t, 

lA'' 
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Let  V  be  &  denumereble  set  disjoint  from  S.  We  define  the  set  of  terms  with  variables,  r(S,  K), 
in  exactly  the  same  way  as  T(S  U  V),  extending  the  aiity  function  so  that  a(z)  =  0  for  every  x 
in  V.  The  only  difference  between  the  variables  and  the  constants  (symbol  of  arity  0)  is  that  a 
constant  has  an  existential  import:  it  denotes  a  value  in  the  domain  we  are  modelling  with  our 
term  language,  whereas  a  variable  denotes  a  term.  The  difference  is  important  only  when  there  are 
no  constants  in  S,  since  then  T(S)  is  empty. 

All  of  the  notions  defined  for  terms  extend  to  terms  with  variables.  We  define  the  set  V(M)  of 
variables  occurring  in  M  as; 

V(Af)  =  {i  e  K  1  3u  €  D{M)  Af(u)  =  i), 

and  we  defuic  the  number  of  distinct  variables  in  Af  as  v{M)  =  |V(Ad)|. 

We  shall  now  formalize  the  notion  of  substitution  of  terms  for  variables  in  a  term  containing 
variables.  From  now  on,  the  sets  £  and  V  areiixed,  and  we  useT  to  denote  T(S,V).  A  substitution 
o  is  a  function  in  V  -*  T,  identity  almost  everywhere.  That  is,  the  set  D{o)  =  {i  €  V  1  a{x)  ^  i} 
is  finite.  We  call  it  the  domain  of  a.  Substitutions  are  extended  to  S-morphisms  over  T  by 

. MJ)  =  f((T(Af,),...,o{Af„)). 

Bijective  substitutions  are  called  permutations.  When  U  C  V,ve  write  oy  for  the  restriction  of 
substitution  a  to  U.  It  is  easy  to  show  that,  for  all  o,  Af  and  U : 

V(M)CU  =*  <r(M)  =  <ry(M). 

Alternatively,  we  can  define  the  replacement  Aft*  «-  iV]  as 

Af  ttti  ^  lV]...[o„  AT], 

where  {uj, ...,«n}  =  {u  (  Af(u)  =  *}  and  then 

<t(M)  =  Afti^<r(*)|*e  V(Af)] 


with  an  obvious  notation. 

We  now  define  the  quasi-ordering  <  of  matching  in  T  by: 

M<JV  ^  3o  Ar  =  o(Af). 

It  is  easy  to  show  that  if  such  a  o  exists,  is  unique.  We  shall  call  it  the  match  of  Af  by  Af , 

,  and  denote  it  by  iV/Af. 

We  define  M  =  N  O  M  <  S  ft  N  <  M.  When  Af  =  JV,  we  say  that  Af  and  N  are 
isomorphic.  This  is  equivalent  to  say  that  Af  =  <r{N)  for  some  permutation  <t.  Note  that  M  s  N 
implies  |Af|  s  |Af|.  Finally,  we  define 

Af>iV»iV<AfA->Af<iV. 

.  Proposition.  >  is  a  well-ordering  on  T. 

Proof.  We  show  that  Af  >  N  implies  p(Af)  >  n(N),  with  p(Af)  =  lAf|  -  «/(Af). 

Let  <p  be  any  bijection  between  T  xT  and  V.  We  define  a  binary  operation  n  in  T  by: 

F(Afi,...,Af„)nP(iV,,...,iV.)  =  F(AfiniV,,...,Af„nJV„) 
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M  nN  =  in  all  other  case*. 

M  n  iV  is  uniquely  determined  irom  <p  and,  for  distinct  (p'a,  is  unique  up  to  =. 

Propoaition.  iif  n  Ai  is  a  gd.b.  of  M  and  N  under  the  match  quasi-ordering. 

Let  T  be  the  quotient  poset  T/  =,  completed  with  a  maximum  element  T.  From  the  propositions 
above  we  conclude: 

Theorem.  T  is  a  complete  lattice. 

CoroUsfy.  If  two  terms  M  and  N  have  an  upper  bound,  i.e.  a  common  instance  tr( Af)  =  (r'{N), 
they  have  al.u.b.  M\jN,  which  is  a  most  general  such  instance;  that  is,  a  =  Coot,  and  <r'  =  ogor, 
for  some  substitution  r  called  the  priacipal  unifier  of  M  and  N.  The  term  Af  U  is  unique  modulo 
=  and  may  be  found  by  the  unification  algorithm  [159]. 

Proposition. 

D{a{M))  =  D{M)U  jj  {u  '  v  |  u  €  X)(<r(Af (u)))} 

{u|A#(«)€V} 

Vu  6  D(M)  M(u)  =  I  e  V  =>  V»  €  D(<t(i))  a(M)l(u  *  »)  =  tr{i)/r 
Vu  e  D(M)  a(M)lv.  =  o(M/u) 

Vu6D(Af)  <r(Af)[u  e- <r(jsr)]  =  <t(A#  [u  »- AT] ). 

1.6  Graph  representations,  dags 

It  is  usual  to  represent  trees  in  computers  by  binary  graphs  implemented  as  pairs  of  machine  words. 
In  the  simplest  scheme,  a  word  is  partitioned  into  one  tag  bit,  and  one  field  interpreted  either  as 
an  address  in  the  graph  memory,  or  as  a  natural  number,  according  to  the  value  of  the  tag.  In  this 
last  case,  some  natural  (say  0)  is  reserved  for  nil,  the  empty  list  of  trees.  Symbols  from  E  are  then 
coded  up  as  positive  naturals.  If  tree  Af  is  represented  by  the  word  IV  and  the  list  L  is  represented 
by  the  word  W,  then  the  list  Af  ■  £  is  represented  by  the  address  of  a  graph  node  implemented  as 
the  pair  (W,  W').  Similarly,  if  symbol  F  is  coded  up  as  the  word  W  and  the  list  L  is  represented 
by  the  word  W,  then  the  tree  F(L)  is  represented  by  the  address  of  a  graph  node  implemented  as 
the  pair  {W,  W). 

Thus  every  tree  is  mapped  into  a  graph,  and  this  representation  allows  sharing  of  common 
subtrees.  Assignment  to  fields  may  implement  grafting  without  copying,  but  this  method  is  not 
usually  compatible  with  sharing.  This  is  the  standard  way  of  representing  trees  and  lists  in  symbol- 
manipulation  languages  such  as  LISP  [124],  The  principal  problem  to  be  solved  in  such  languages 
is  to  keep  track  dynamically  of  which  areas  of  the  storage  are  used  to  represent  actively  used 
subtrees.  Garbage-collectiqn  algorithms  have  been  proposed  to  solve  this  problem,  but  this  method 
is  becoming  problematic  with  the  current  technology  of  very  large  virtual  memories.  A  precise 
description  of  such  memory  allocation  issues  is  beyond  the  scope  of  these  notes. 

Terms  are  of  course  represented  as  trees.  A  global  table  holds  the  arity  function.  There 
are  several  possibilities  for  the  representation  of  variables.  They  may  be  represented  as  symbols. 
But  then  the  scope  structure  must  be  computed  by  an  algorithm,  rather  than  being  implicit  in 
the  structure.  Also  a  global  scanning  of  the  term  is  necessary  to  determine  its  set  of  variables, 
and  substitution  involves  copying  of  the  substituted  term.  For  these  reasons,  variables  are  often 
represented  rather  as  integer  offsets  in  stacks  of  bindings.  Such  “structure  sharing”  representations 
are  now  standard  for  PROLOG  implementations. 
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A  precise  account  of  the  various  representations  schemes  for  term  structures,  and  of  the  accom¬ 
panying  algorithms,  is  out  of  the  scope  of  these  notes.  It  should  be  bom  in  mind  that  the  crucial 
problem  is  memory  utilization:  the  trade-off  between  copying  and  sharing  is  often  the  deciding 
factor  for  an  implementatioa.  Languages  with  garbage-collected  structures,  such  as  LISP,  are  ideal 
for  programming  “quick  and  dirty”  prototypes.  But  serious  implementation  efforts  should  mm  at 
good  algorithmic  performance  on  realistic  size  tq>plication8. 

The  crucial  algorithms  in  formula  and  proof  manipulation  are  matching,  unification,  substitu¬ 
tion  and  grafting.  First-order  unification  has  been  specially  well  studied.  A  linear  algorithm  is 
known  [142,28],  but  in  practice  quasi-linear  algorithms  based  on  congruence  classes  operations  are 
preferred  [115,116].  Furthermore,  these  alg<»ithms  extend  withont  modification  to  unification  of 
infinite  rational  terms  represented  by  Unite  graphs  [77]. 

Implementation  methods  may  be  partitioned  into  two  families.  Some  depend  on  lo^cal  prop¬ 
erties  (e.g.  sharing  subterms  in  dags  arising  from  substitution  to  a  term  containing  several  occur¬ 
rences  of  the  same  variable).  Some  are  purely  statistical  (e.g.  sharing  structures  globally  through 
hash-coding  techniques).  Particular  applications  require  a  careful  analysis  of  the  optimal  trade-off 
between  logical  and  statistical  techniques. 

There  is  no  comprehensive  survey  on  implementation  issues.  Some  partial  aspects  are  described 
in  [9,160,117,115,189,184,135,52,1,43,54,20,57,168,185]. 


2  Inference  rules 

We  shall  now  study  inference  systems,  defined  by  inference  rules.  The  general  form  of  an  inference 

o  j-g .  Pt  ft  —  P|» 


where  the  Pi’s  and  Q  are  propositions  belonging  to  some  formal  language.  We  shall  here  regard  these 
propositions  as  types,  and  the  inference  rule  as  the  description  of  the  signature  of  //2  considered  as 
a  typed  operator.  More  precisely,  Iff  has  arity  n,  /)•  is  the  type  of  its  i-th  argument,  and  Q  is  the 
type  of  its  result.  Well- typed  terms  composed  of  inference  operators  are  called  the  proofs  defined 
by  the  inference  system.  Let  us  now  examine  a  few  familiar  inference  systems. 


2.1  The  trivial  homogeneous  case;  Arities 

A  graded  alphabet  S  may  be  considered  as  the  simplest  inference  systems,  where  types  are  reduced 
to  arities.  I.e.,  the  set  of  propositions  is  1,  and  an  operator  F  of  arity  n  is  an  inference  rule 

-  "i- 

(with  n  zero’s  in  the  numerator).  A  E-proof  corresponds  to  our  E-terms  above. 

2.2  Finite  systems  of  types:  Sorts 

The  next  level  of  inference  systems  consist  in  choosing  a  finite  set  5  of  elementary  propositions, 
usually  called  sorts.  For  instance,  let  5  =  {ini,  hoof},  and  E  be  defined  by; 

0  :  ini  S  :  ini  —» ini  Iruc  ;  hoof  /alse  :  bool  if  :  bool,  int,  ini  —>  ini, 

where  we  use  the  alternative  syntax  Pi, ...,  fn  -» Q  for  an  inference  rule.  The  term  if  (true,  0, 5(0)) 
is  of  sort  int,  i.e.  it  is  a  proof  of  proposition  int. 
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As  another  example,  consider  the  puzzle  “Missionaries  and  Cannibals”.  We  call  conliguration 
any  triple  (6,  m,  c)  €  2  x  4  x  4.  The  boolean  b  indicates  the  position  of  the  boat,  m  (resp.  c)  is  the 
number  of  missionaries  (resp.  cannibals)  on  the  left  bank.  The  set  of  states  S  is  the  set  of  legal 
configurations,  that  obey  the  condition 

P(m,e)  =  m  =  eorm  =  0orm  =  3. 

There  are  thus  10  distinct  states  or  sorts.  The  rules  of  inference  comprise  first  a  constant  denoting 
the  starting  configuration: 

So  :  (0, 3, 3) 

then  the  transitions  carrying  p  missionaries  and  q  cannibals  from  left  to  right: 

:  (0,  m,c)  -♦  (l,m  -  p,c  -  9)  (m  >  p,c  >  q,  P(m,  c),  P(m  -  p,c  -  q),l  <  p  + q  <  2) 

and  finally  the  transitions  Rm,c,p,t,  which  are  inverses  of  Lm^,p,q-  The  game  consists  in  finding  a 
proof  of  (1,0,0). 

This  simple  example  of  a  finite  group  of  trainsformations  applies  to  more  complex  tasks,  such 
as  Rubik’s  cube.  All  state  transition  systems  can  be  described  in  a  similar  fashion.  Examples  of 
such  proofs  au-e  pauwe-trees  of  regulatr  grammars,  where  the  inference  rules  signatures  correspond 
to  a  finite  automaton  transition  gr^h.  Slightly  more  complicated  formalisms  allow  subsorts, 
l.e.  containment  relationships  between  the  sorts.  That  is,  we  postulate  primitive  implications 
between  the  elementary  propositions.  These  systems  reduce  to  simple  sorts  by  considering  dummy 
transitions  corresponding  to  the  implicit  coercions. 

2.3  Types  os  terms:  stendaurd  proof  trees 

We  shall  here  describe  our  types  as  terms  formed  over  an  alphabet  ♦  of  type  operators,  which 
we  shall  call  functors.  For  the  moment,  we  shall  assume  that  we  have  just  one  category  of  such 
propositions,  i.e.  the  functors  have  just  an  arity.  The  alphabet  E  of  inference  rules  determines  the 
legal  proof  trees. 


Example:  Combinatory  logic. 

We  take  as  functors  a  set  $  of  constants  4o,  plus  a  binary  operator  which  we  shall  write  in 
infix  notation.  We  call  functionality  a  term  in  T(4).  We  have  three  families  of  rules  in  E.  In  the 
following,  the  meta. variables  A,B,C  denote  arbitrary  functionalities.  The  operators  of  the  K  and 
5  families  are  of  arity  0,  the  operators  of  the  App  family  are  binary. 


^^A.B  :  A  =>  (B  ^  A) 

Sa.b,c  C))  ((A  B)  =>.  (A  C)) 


ApPA.B  ■ 


A  ^  B  A 
B 


Here  is  an  example  of  a  proof.  Let  A  and  B  be  any  functionalities,  C  =  B  ^  A,  D 
E  =  A  ^  A,  F  =  A  {C  ^  A),  G  =  D  ^  E.  The  term 


AppDMAppF,a{SAx;,A>  ^A,c),  Ea,b) 
has  type  E,  i.e.  it  gives  a  proof  of  the  proposition  A  =►  A. 
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We  express  formally  that  proof  M  proves  proposition  P  in  the  inference  system  £  as: 

Eh  M:P 

.  That  is,  we  thinh  of  a  theorem  as  the  type  of  its  proof  tree.  Proof-checking  is  identified  with 
type-checking.  Here  this  is  a  simple  consistency  check;  thad  is,  if  operator  F  is  declared  in  E  as: 
F  :  Pi,...,Pn  -  (J  and  if  S  h  Af. :  for  1  <  i  <  n,  then  S  h  F(Mi . :  Q. 

2.4  Polymorphism:  Rule  schemas 

This  next  level  of  generality  consists  in  allowing  variables  in  the  propositional  terms.  This  is 
very  natural,  since  it  internalizes  the  meta-variables  used  to  index  families  of  inference  rules  as 
propositional  variables.  The  rules  of  inference  become  thus  pcdymorpbic  operators,  whose  types 
are  expressions  containing  free  variables.  This  is  the  traditional  notion  of  schematic  inference  rule 
from  mathematical  lo^c:  each  rule  is  a  schema,  denoting  a  family  of  operators,  whose  types  are  all 
instances  of  the  clause. 

Example.  The  example  from  the  previous  section  is  more  naturally  expressed  in  this  polymorphic 
formalism.  We  replace  the  set  io  by  a  set  of  variables  V,  and  now  we  have  just  3  rules  of  inference: 
A",  S  and  App. 

Type-checking  is  now  explahied  in  terms  of  instantiation.  Let  E  be  the  current  signature  of 
polymorphic  operators.  We  define  w4»t  it  means  for  a  tree  T  to  be  consistently  typed  of  type  r  in 
theory  E,  which  we  write  EhT  :t.  The  definition  is  by  induction  on  the  size  of  T.  Assume  that 
F  ’■  Qt<Q3<  —Qn  P  is  m  E,  and  that  for  some  substitution  a  we  have  Eh  Tt  •.  cr(Qi)  for  all 
1  <  :  <  n.  Then  we  get  •  ^^).- 

The  types  can  aCtui4i^!^Bp3|iPll^  ^^pMsnsed  wHh,  since  a  well  typed  term  possesses  a 
most  general  type,  called  type.  For  instance,  in  the  example  above,  the  proof 

App(App(S,  K),  K)  has  the  principal  type  A  A,  with  A  e  V.  This  term  is  usually  written 
I  =  SKK  in  combinatory  logic,  where  the  concrete  syntax  convention  is  to  write  combinalor 
strings  to  represent  sequences  of  applications  associated  to  the  left. 

The  notion  of  principal  type,  first  discovered  by  Bindley  in  the  combinatory  logic  context,  and 
independently  by  Milner  foi  ML  type-checking  [129],  is  actually  completely  general: 

The  Principal  Type  Theorem.  Let  E  be  any  signature  of  polymorphic  operators  over  a  functor 
signatiue  41.  Let  M  be  a  legal  proof  term.  Then  M  possesses  a  principal  type  r  E  That 

is,  E  1-  M  :  r,  and  for  aU  r'  €  r(*,K),  E  I-  Af  :  r'  impUes  r  <  /. 

Proof.  S'mple  induction,  using  the  properties  of  the  principal  unifier.  Let  T  =  f(Ti,  ...,T„), 
with  Eh  T  :  M.  This  means  that  F  :  Qt;Qi;  ■■■Qn  -*  P  is  in  E,  and  that  M  =  trfP),  with 
EhT,-:  <r(Oi).  By  the  induction  hypothesis,  EhT;:  r;,  with  t,  principal.  Thus  for  some  pi  we 
have  <T(Qi)  =  We  may  assume  without  loss  of  generality  that  the  r,  are  renamed  so  that 

they  have  no  variable  in  common,  and  no  variable  in  common  with  the  defining  clause  for  T.  Thus 
the  tuples  <  ...  >  and  <  ...,r{,...  >  are  simultaneously  unifiable,  and  their  prindpal  unifier 

$  gives  a  tuple  <  ...,1V,-,...  >  such  that  IV,-  =  9(Qi)  =  Sin).  The  construction  defines  r  =  0(P) 
having  the  required  properties. 

By  now  we  have  developed  enough  formalism  to  make  sense  out  of  our  “propositions  as  types" 
paradigm.  Actually,  the  example  we  have  discussed  above  is  the  fragment  of  propositional  logic 
known  as  “minimal  logic".  When  regarding  the  functor  ^  as  (intuitionistic)  implication,  and  App 
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as  the  usual  inference  mle  of  Modus  ponens,  K  and  5  are  the  two  axioms  of  minimal  logic  presented 
as  a  Hilbert  calculus.  Combinatory  logic  is  thus  the  calculus  of  procdis  in  minimal  logic  [48,103]. 

Actually  combinators  don’t  just  have  a  type,  they  have  a  value.  They  can  be  defined  with 
definition  equations  in  terms  of  application.  Using  the  concrete  qmtax  mentioned  above,  we  g°t 
for  instance  K  and  S  defined  by  the  fcdlowing  equations: 

Defy  ■  K  X  y  =  X 
Defs  :  S  X  y  z  =  x  z  (y  z). 

Exercise.  Verify  that  the  two  equations  above,  when  seen  as  unification  constraints,  define  the 
expected  principal  types  for  K  and  S. 

This  point  of  view  of  considering  equality  axiomatizations  of  the  proof  structures  corresponds  to 
what  the  proof-theorists  call  cut  eUmiaatioD.  That  is,  the  two  equations  above  can  be  used  as 
rewrite  rules  in  order  to  eliminate  redundancies  corresponding  to  useless  detours  in  the  proofs.  We 
shall  develop  more  completely  this  point  of  view  of  computation  as  proof  normalization  below. 

The  current  formalism  of  inference  rules  typed  by  terms  with  variables  corresponds  to  intu- 
itionistic  sequents  in  proof  theory,  and  to  Horn  clauses  in  automated  reasoning.  For  instance,  a 
PROLOG  [31]  interpreter  may  be  seen  in  this  framework  as  a  proof  synthesis  method.  Given  an 
alphabet  E  of  polymorphic  inference  rules  (usually  called  definite  clauses),  and  a  proposition  r  over 
functor  alphabet  4,  it  returns  (when  possible)  a  proof  term  M  such  that  Af  is  a  legal  E- proof  term 
consistently  typed  with  type  r'  instance  of  t: 

E  t-  A#  :  r'  >  T. 

With  a  the  principal  unifier  of  r  and  the  principal  type  of  Af,  we  say  that  <r  is  a  PROLOG 
answer  to  the  query  r.  Of  course  this  explanation  is  incomplete;  we  have  to  explain  that  PROLOG 
finds  all  such  instances  by  a  backtrack  procedure  constructing  proofs  in  a  bottom-up  left-to-right 
fashion,  using  operators  from  E  in  a  specific  order  (the  order  in  which  clauses  are  declared);  this 
last  requirement  leads  to  incompleteness,  once  PROLOG  may  loop  with  recursively  composable 
operators,  whereas  a  different  order  might  lead  to  termination  of  the  procedure.  Also,  PROLOG 
may  be  presented  several  goals  together,  and  they  may  share  certain  variables,  but  this  may  be 
explained  by  a  simple  extension  of  the  above  proof-synthesis  explanation. 

We  claim  that  this  explanation  of  PROLOG  is  more  faithful  to  reality  than  the  usual  one 
with  Horn  clauses.  In  particular,  our  explanation  is  completely  constructive,  and  we  do  not  have 
to  explain  the  processes  of  conjunctive  normalization  and  Sktdemization.  Furthermore,  there  is 
no  distinction  in  4  between  predicate  and  function  symbols,  consistently  with  most  PROLOG 
implementations.  Actually,  we  even  allow  polymorphic  signatures  which  would  not  be  accepted  as 
definite  clauses,  since  somh  of  the  types  may  be  reduced  to  single  variables,  like  for  /Ipp  above. 

2.5  Allowing  lemmas 

The  next  convenience  in  a  general  formalism  for  manipulating  proofs  consists  in  providing  the  user 
with  a  facility  to  derive  and  use  lemmas. 

Let  us  use  the  notation  xx,(M)  to  denote  the  principal  type  of  the  (legal)  E-term  H.  Thus  we 
have 

E  I-  Af  :  xj:(Af ). 
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It  is  now  possible  to  nse  A/  as  a  lemma,  choosing  to  name  it  with  a  symbd  name  not  in  S,  using 
the  new  term  constmctor;  let  name  =  M  in  N.  The  term  iV  is  a  proof  term  constructed  in  £, 
enriched  with  the  new  (nullary  operator)  constant  name.  More  precisely,  the  legal  proofs  using 
lemmas  are  defined  using  the  rule: 

£  h  let  name  =  M  in  N  :t  <=>■  E  U  {name  :  I-  IV  ;  t. 

Example.  Using  the  minimal  logic  combinators  above,  i.e.  E  =  {£’,5,  App),  derive; 

E  I-  let  /  =  S  AT  Af  in  /  /  :  A  A. 

This  shows  that  constant  I  is  used  in  a  polymorphic  way,  similarly  to  the  basic  combinators  from 
E,  since  its  two  occurrences  in  App(I,  /)  above  are  typed  with  two  distinct  instances  of  its  principal 
type  te(5  K  K)  =  (A  =>  A). 

Remark.  We  might  more  generally  expect  a  facility  to  use  derived  inference  rules.  But  here  we 
have  a  notational  difficulty,  in  order  to  explain  how  the  bee  variables  from  the  principal  types  of 
the  argument  proofs  are  shared,  since  in  the  let  constant  declaration  mechanism  above  we  kept  the 
type  of  M  implicit.  In  standard  mathematical  practice  we  think  of  lemmas  as  names  of  propositions 
(i.e.  types)  rather  than  proofs.  Thus  instead  of  derived  inference  rules  we  tend  to  use  rather  proofs 
modulo  hypotheses.  This  level  of  term  description  corresponds  to  A-calcuIus,  which  we  shall  now 
study. 

3  Combinatory  Algebra  and  A-calculus 

3.1  Proofs  with  variables:  sequents 

We  first  come  back  to  the  general  theory  of  proof  structures.  We  assume  the  alphabet  E  of  rules 
of  itrference  to  be  fixed,  and  thus  we  abbreviate  E  I-  Af  :  Af  as  (-e  Af  :  IV  or  even  h  Af  :  iV  when  E 
is  clear  from  the  context. 

We  saw  earlier  that  the  Hilbert  presentation  of  minimal  logic  was  not  very  natural,  in  that  the 
trivial  theorem  A  ^  A  necessitated  a  complex  proof  S  K  K.  The  problem  is  that  in  practice  one 
does  not  use  just  proof  terms,  but  deductions  of  the  form 

r  I-  A 


where  T  is  a  set  of  (hypothetic)  propositions. 

Deductions  are  exactly  proof  terms  with  variables.  Naming  these  hypothesis  variables  and  the 
proof  term,  we  write: 

{...[ij  :  Aij...  I »  <  n)  I-  Af  :  A 

with  V(M)  Q  {ii, Such  formulas  are  called  sequents.  Since  this  point  of  view  is  not  very 
well-known,  let  us  emphasize  this  observation: 

Sequents  represent  proof  terms  with  variables. 

Note  that  so  far  our  notion  of  proof  construction  has  not  changed: 

r  He  Af  ;  A  iff  Hjxir  Af  :  A,  i.e.  the  hypotheses  from  T  are  used  as  supplementary  axioms,  in 
the  same  way  that  in  the  very  beginning  we  have  defined  T(£,  V)  as  T(E  U  V). 

In  the  next  section,  we  assume  fixed  the  combinatory  algebra  proof  system:  E  =  {Af,  S,  App). 
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3.2  The  deduction  theorem 

This  theorem,  fundamental  for  doing  proofs  in  practice,  gives  an  equivalence  between  proof  terms 
with  variables  and  functional  proof  terms: 

ru{A}hB  o  rh/l=>B 

That  is,  in  our  notations; 

a)  r  h  Af  =»■  B  =»•  F  U  {i  :  A}  h  (Af  i)  :  B 

This  direction  is  immediate,  using  App,  i.e.  Modns  Ponens. 

b) ru{i;A}  I-  Af  :B  =>  T  h  [i]Af:A=>B 
where  the  term  Cx]  A/  is  given  by  the  following  algorithm. 

Schonflnkel’s  abstraction  algorithm: 

[i]i  =  /  (=  S  K  K) 

[x2M  =  K  M  if  Af  atom  (variable  or  constant)  ^  x 
[x](A/  N)  =  S  Cx]A/  [x]Ar 


Note  that  this  algorithm  motivates  the  choice  of  combinators  S  and  K  (and  optionally  I). 
Again  we  stress  a  basic  observation: 

Schonflnkel’s  algorithm  is  the  essence  of  the  proof  of  the  deduction  theorem. 

Now  let  us  consider  the  rewriting  system  R  defined  by  the  rules; 

DtfK  :  K  X  y  =  z, 

Defs  :  S  xy  z  =  ((x  s)  (y  x)), 

optionally  supplemented  by: 

Def  j  :  I  X  =  X 

and  let  us  write  >  for  the  corresponding  reduction  relation. 

Fact.  (,1x2  M  N)  t>*  Aftx^A]. 

We  leave  the  proof  of  this  very  important  property  to  the  reader.  The  important  point  is  that 
the  abstraction  operation,  together  with  the  application  operator  and  the  reduction  >,  define  a 
substitution  machinery.  We  shall  now  use  this  idea  more  generally,  in  order  to  internalize  the 
deduction  theorem  in  a  basic  calculus  of  functionality.  That  is,  we  forget  the  specific  combinators 
S  and  K,  in  favor  of  abstraction  seen  now  as  a  new  term  constructor. 

Remark  1.  Other  abstraction  operations  may  be  defined.  For  instance,  the  strong  abstraction 
algorithm  is  more  economical: 

[x]x  =  I 

[.x2M  =  K  M  if  X  does  not  occur  in  Af 

[x]( ''  x)  =  M  if  X  does  not  occur  in  M 

[x](Af  N)  =  S  1x2 M  [i]B  otherwise. 


11 


Remark  2.  The  computation  relation  >  of  combinatory  algebra  is  confluent.  Actually,  it  is  defined 
by  a  particularly  simple  case  of  necessarily  sequential  rewrite  rules.  It  is  compatible  with  the  term 
structure  of  combinatory  algebra,  and  in  particular  with  application.  But  it  is  not  compatible  with 
the  derived  operation  of  abstraction,  and  thus  the  (  rule  of  A-conversion  is  not  valid.  That  is, 
combinatory  computation  simulates  only  weak  /3-reduction. 

Similarly  to  A-calculus,  there  are  typed  and  untyped  versions  of  combinatory  algebra. 

Other  combinators  than  K,  S  and  /  have  been  considered.  A  general  combinator  is  defined  by 
a  rewrite  rule: 

C  xi  Xi  ...  Xn  :=  M, 

where  the  left-hand  side  stands  for  the  pattern  App{--  ■  App(C,Z])-  ■  ■  ,x„)  and  the  right-hand  side 
is  an  arbitrary  term  constructed  from  the  z,'’s,  App,  and  previously  defined  combinators. 

A  set  of  combinators  is  said  to  form  a  basis  if  it  is  sufficient  to  derive  an  abstraction  algorithm 
(equivalently,  if  S  and  K  are  definable  from  the  set).  The  state  of  the  art  about  combinatory 
completeness  is  described  in  Statman  [174]. 

3.3  Typed  Lambda-calculus 

We  now  abandon  the  first-order  term  structures  of  combinatory  algebra  and  turn  to  A-calculi.  We 
first  consider  typed  A-calculus,  where  the  set  of  types  T  is  defined  as  the  set  of  terms  constructed 
over  some  functor  alphabet  ♦  containing  the  binary  functor  =»•.  We  write  T*  for  the  set  of  finite 
sequences  of  types,  with  1  the  empty  sequence  and  T  \  A  the  sequence  obtained  from  sequence  F 
by  adding  one  more  type  A. 

We  define  recursively  a  relation  F  (-  Af  :  A,  read  “Af  is  a  term  of  type  A  in  context  F”,  where 
A  €  T  and  F  6  T’,  as  follows: 

Variable  :  If  1  <  n  <  |F|  then  F  I-  n  :  r„ 

Abstraction  :  If  F  x  A  I-  M  :  R  then  Fh  [A]  Af  :  A  =►  B 

Application  ;  If  F  I-  Af  :  A  ^  B  and  F  I-  AT ;  A  then  F  I-  (Af  N) :  B 

Thus  a  term  may  be  a  natural  number,  or  may  be  of  the  form  [A]  Af  with  A  a  type  luid  Af  a 

term,  or  may  be  of  the  form  (Af  N)  with  U,N  two  terms. 

We  thus  obtain  typed  A-terms  with  variables  coded  as  de  Bruijn’s  indexes  [16],  i.e.  as  integers 
denoting  their  reference  depth  (distance  in  the  tree  to  their  binder).  This  representation  avoids  all 
the  renaming  problems  associated  with  actual  names  (a  conversion),  but  we  shall  use  such  names 
whenever  we  give  examples  of  terms.  For  instance,  the  term  [A](l  [B](l  2))  shall  be  presented 
under  a  concrete  representation  such  as  [z  :  A](z  [y  :  B](y  z)).  In  Church’s  original  notation, 
the  left  bracket  was  a  A  and  the  right  bracket  a  dot,  typing  being  indicated  by  superscripting,  like: 
Az^  •  (z  Ay®  •  (y  z)). 

Note  that  the  relation  F  H  Af  :  A  is  functional,  in  that  A  is  uniquely  determined  from  F  and  Af . 
Thus  the  definition  above  may  be  interpreted  as  the  recursive  definition  of  a  function  A  =  rp(Af ). 

The  set  T  of  types  used  in  the  A-terms  has  been  defined  as  all  terms  constructed  from  ft 
containing  =>.  The  ordinary  Curry-Church  A-calculus  is  obtained  when  t  =  {=>}  U  To,  where  Tb  is 
a  finite  set  of  atomic  types,  for  instance  {6oof,tnt}.  But  we  may  include  other  functors  in  9.  The 
proofs  of  the  intuitionistic  version  S  K  of  Gentzen’s  natural  deduction  system  may  be  represented 
by  typed  A-terms,  over  the  alphabet  of  functors  defined  by  the  propositional  connectives. 
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3.4  Computation 

We  axe  now  ready  to  define  the  computation  relation  >  as  follows: 

(MlMiV)  (/?) 

Af  t>  Af'  =»■  [yl]A/  >  [A]Af'  (f) 

M  >  M' =>  (Af  N)  >  (M'  W) 

Af  t>  Af'  ==>  (AT  Af)  >  (JV  Af')- 

It  is  clear  that  computation  preserves  the  types  of  terms.  The  computation  relation  presented 
above  is  traditionally  called  (strong)  ^-reduction.  It  is  confluent  and  noetherian  (because  of  the 
types!),  and  thus  every  term  possesses  a  canonical  form,  obtainable  by  iterating  computation  non- 
deterministically.  Another  valid  conversion  rule  is  T-conversion: 

Ci:A](Af*)  =  Af  (V) 

whenever  x  does  not  appear  in  Af . 

3.5  Weak  reduction 

There  are  many  variations  on  A-calculns.  What  we  have  just  presented  is  typed  A-calculus,  with 
Curry-Church  types.  The  notion  of  computation  >  is  strong  ^  reduction.  It  is  also  interesting 
to  consider  a  weak  reduction,  obtained  by  not  allowing  rule  (  above.  Thus,  weak  reduction  is  not 
compatible  with  the  abstraction  operator  □ .  As  we  have  already  seen,  A-calvulus  may  be  translated 
into  combinatory  algebra,  but  the  natural  computation  rule  associated  with  the  set  of  combinator 
definitions  seen  as  term  rewriting  system  corresponds  then  to  weak  reduction,  not  strong  reduction. 

3.6  Pure  A-calculiu 

If  we  remove  the  types,  we  get  the  theory  of  pure  A-calculus.  The  set  of  pure  lambda  terms  is 
defined  as; 

A=  U-'- 

n>0 

where  the  set  An  of  A-terms  with  n  potential  free  variables  is  defined  inductively  by: 

•  »  e  An  if  1  <  I  <  n 

•  DAf  €  An  if  Af  €  An+i 

s  (Af  A’)€  Anif  Af,iV€  An 

As  we  did  previously,  we  get  readable  concrete  syntax  by  sticking  variable  names  in  the  brackets, 
as  in  [z]z.  The  terms  in  Ao  are  the  closed  pure  A-terms.  Analogous  untyped  versions  of  the  rules 
above  define  analogous  computation  rules.  Sometimes  syntactic  properties  are  easier  to  prove  in 
pure  A-calculus.  For  instance,  the  confluence  property  in  typed  calculi  is  an  easy  consequence  of 
the  corresponding  property  in  the  pure  calculus,  if  we  remark  that  computation  preserves  typing. 
The  classical  method,  due  to  Tait  and  Martin-Ldf  [4],  consists  in  proving  that  the  relation  >  is 
strongly  confluent,  with  P  defined  as  the  reflexive  and  compatible  closure  of; 

Af  >  Af '  JV  >N’ 

(□Af  M)  >  Af'{Ar'}‘ 


It  is  easy  to  check  that  indeed  >  and  >  have  the  same  reflexive-tTansitive  closure,  whence  the 
result.  As  we  saw  for  regular  term  rewriting  system,  such  a  “parallel  moves”  theorem  is  actually 
much  stronger  than  strong  confluence,  since  it  corresponds  to  the  existence  of  pushouts  in  an 
appropriate  category  of  computations.  The  theory  of  A-calcnlus  derivations  is  worked  out  in  detail 
in  J.  J.  Ldvy’s  thesis  [108,109].  Note  that  contraiily  to  the  theory  of  regular  term  rewriting  systems, 
the  parallel  reduction  >  is  not  limited  to  parallel  disjoint  redexes,  since  in  A-calculus  residuals  of 
a  redex  may  not  be  disjoint.  For  instance,  consider  u)  [v]([xjv  y)). 

The  theory  of  /3-t;-reduction  is  rather  complicated.  Actually,  note  that  there  is  a  critical  pair 
between  the  two  rules,  since  ([x](Af  x)  N)  contains  conflicting  redexes  for  the  two  rules.  Fortu¬ 
nately,  the  two  rules  reduce  to  the  same  term  (M  N).  However,  the  two  rules  are  usually  dealt  with 
separately,  since  it  can  be  showed  that  i)  conversions  can  be  postponed  after  /)  reductions.  In  the 
following,  we  write  t>  for  the  ^-reduction  rule,  and  =  for  its  associated  congruence.  The  theory  of 
/3-reduction  is  similar  to  the  theory  of  regular  term  rewriting  systems.  Certain  results  are  simpler. 
For  instance,  the  standardization  theorem  has  a  simpler  form,  since  the  standard  derivation  always 
reduces  the  leftmost  needed  redex.  Others  are  more  complicated,  due  to  the  residual  embedding 
noted  earlier. 

Certain  theorems  are  identical  for  the  pure  calculus  as  for  the  typed  case.  Other  aspects  of  pure 
A-calculus  differ  from  the  typed  version.  In  the  pure  calculus,  some  terms  do  not  always  admit 
normal  forms.  For  instance,  with  A  =  Cuj(u  u)  and  X  =  (A  A),  we  get  X  >  X  >  ...  A  more 
interesting  example  is  given  by 

Y  =  [/]([«](/(«»))  W(/(uu))) 

since  (Y  M)  s  (if  (Y  M))  shows  that  Y  defines  a  general  fixpoint  operator.  Y  is  called  the 
Curry  fixpoint  operator.  Other  fixpoint  operators  are  known.  For  instance,  the  Turing  fixpoint 
operator  is  defined  as: 

0  =  ([x][y](y  (i  I  »))  [x][y](y  (i  X  y))), 

aind  it  verifies  the  stronger  property  that  for  every  M  we  have  (0  M)  >*  {M  (0  M)). 

Exercise.  Show  that  9  =  Cv>]  [/](/  (<fi  /))  is  a  generator  of  fixpoints,  in  that  Af  is  a  fixpoint 
combinator  iff  4(Af )  =  M. 

The  existence  of  fixpoint  operators,  and  the  easy  encoding  of  arithmetic  notions  in  pure  A-calculus, 
make  it  a  computationally  complete  formalism:  all  partial  recursive  functions  are  definable.  We 
shall  not  develop  farther  this  aspect  of  A-calculus,  but  we  just  remark  that  it  entails  the  unde¬ 
cidability  of  most  syntactic  properties.  Thus  =  is  an  undecidable  relation,  and  it  is  generally 
undecidable  whether  a  given  term  is  normalisable  or  not. 

What  we  are  mostly  concerned  here  is  the  application  of  A-calcnlus  to  logic.  And  one  may 
worry  about  the  interpretation  of  fixpoints  of  propositional  connectives  such  as  negation.  The  next 
section  shows  that  indeed  pure  A-calculus  is  logically  problematic. 

3.7  Curry’s  version  of  Russell’s  paradox 

Our  framework  is  minimal  logic,  with  propositions  represented  as  pure  A-expressions.  That  is,  we 
assume  that  ^  is  a  constant  of  the  calculus.  We  assume  that  we  have  as  rules  of  inference: 

A  ^  ,  A  I-  B  (App) 
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\-A=>A  (/) 

h  (i4  =>  (A  ^  B))  =>•  (A  =>  fl)  {W) 

It  is  easy  to  see  that  (W)  is  valid  in  minimal  logic  (consider  [tt :  A  =>  (A  ^  B)]  [v  :  A](u  v  v)). 
Now  consider  an  arbitrary  proposition  X.  Let  ns  define  N  =  IA}A  =>  X,  and  let  M  =  (y  N).  N 
is  in  a  way  the  minimal  meaning  for  negation,  and  M  is  a  fixpoint  of  it.  That  is: 

M  =  (M=>  X).  (*) 

Now  we  get  M  =>  M  from  /*/,  and  thns  M  ^  (M  ^  X)  by  (*)  used  as  an  equality.  Using  App 

and  W  we  infer  M  ^  X,  and  thns  M  using  (*)  in  the  reverse  direction.  A  final  nse  of  App  yields 

X,  which  is  an  arbitrary  proposition,  and  thns  the  lope  is  inconsistent  [48]. 

Thus  combinatory  completeness  of  the  pore  A-calculns  at  the  level  of  propositions  is  not  com¬ 
patible  with  the  logical  completeness  issued  from  the  typed  A-calcnlns  at  the  level  of  proofs. 

Half  way  between  the  typed  and  the  pure  calcnlns  we  find  typed  calculi  where  additional 
constants  and  redaction  rules  have  been  added.  For  instance,  it  is  possible  to  add  typed  recursion 
operators  in  order  to  develop  recursive  arithmetic  in  a  sound  way  [175]. 

3.8  ML’s  polymorphum 

We  saw  that  formal  systems  could  be  pleasantly  presented  using  polymorphic  operators  (inference 
rules)  at  the  meta  level.  This  possibility  could  be  pushed  at  the  user  level,  by  allowing  him  to  extend 
the  system  with  derived  polymorphic  constants.  We  also  saw  that  Vcalcnlus  allowed  the  user  to 
do  proofs  modulo  a  set  of  hypotheses  T.  However  there  is  a  fundamental  difference  between  the 
apparent  similarity  between  the  notations  £ )-  ...  and  F  I-  ....  That  is,  when  a  constant  declaration 
C  ;  r  is  in  S  we  allow  it  to  be  polymorphic,  whereas  when  a  variable  declaration  x  :  r  is  in  T  we 
request  its  type  r  to  be  a  constant  term. 

There  is  no  immediate  possible  extension  of  polymorphism  to  variables,  because  the  implicit 
universal  quantification  of  type  variables  does  not  commute  well  with  abstraction,  because  =>■  is 
contravariant  on  the  left.  We  need  to  face  up  this  problem  by  introducing  some  explicit  quantifica¬ 
tion  for  type  variables.  A  weak  form  of  such  polymorphism  is  implemented  in  ML,  and  explained 
below.  A  more  general  form  will  be  explained  in  the  section  on  polymorphic  A-calculus  below. 

This  idea  of  type  quantification  corresponds  to  allowing  proposition  quantifiers  in  our  proposi¬ 
tional  lofpc.  First  we  allow  a  universal  quantifier  in  prenex  position.  That  is,  with  To  =  T(t,  V), 
we  now  introduce  type  schemas  in  Ti  =  To  U  Vo  •  Tj,  a  6  F.  A  (type)  term  in  Ti  has  thus 
both  free  and  bound  variables,  and  we  write  FV(M)  and  BV(M)  for  the  sets  of  free  (respectively 
bound)  variables.  We  shall  use  systematically  in  the  following  the  meta  variables  r,  r',  etc...  for 
type  schemes  in  Tj,  whereas  nn-quantified  types  from  To  are  denoted  t^,  ’’o.  etc... 

We  now  define  generic  instpotiation. 

Let  r  =  Va|...a„  ■  rj)  €  Ti  and  r'  =  V/9i...Ai  •  »o  ^  We  define  r'  ><;  r  iff  =  o(ro)  with 
nod  FV{r)  (1  <  i  <  n).  Note  that  >  acts  on  FV  whereas  >a  acts  on 

BV.  Also  note 

t'  >ar  ^  c(t')  >a  <r(r). 

We  now  present  the  Damas-Milner  inference  system  for  polymorphic  A-calculus  [50].  In  what 
follows,  a  sequent  hypothesis  F  is  assumed  to  be  a  list  of  specifications  x,-  :  n,  with  rj  e  Ti,  and  we 
write  FV(F)  =  U,  FV(rj). 


TAUT  :  F  t-  X  :  r  (i :  t  €  F) 
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■■ 

‘  rTTTTifrr 

.  rhJif:Ti^ro  rnjyiT^ 

•  T  ^{M  N)  :  To 

.  ru{a;:T;i}  HM  :  t^, 

•  r  I-  [*]Af  :  fi^ro 
r  hJf  :  r>  ru{«:r^}  H  jV  :  r 
r  Het  I  =  Af  in  JV  :  r 

Note  that  here  the  context  F  stores  both  the  variables  (introduced  with  ABS)  and  the  constants 
(introduced  with  LET).  However  constants  are  allowed  to  be  polymorphic,  whereas  variables  are 
limited  to  ordinary  types  from  To- 

Example.  We  get  for  instance: 

i-  let  %  =  Cxlx  in  (i  i)  :  a  a 

whereas  the  term  Cz](2  x)  cannot  be  typed  in  the  system. 

The  above  system  may  be  extended  without  difficulty  by  other  functors  such  as  product,  and 
by  other  HL  constructions  such  as  conditional,  equality  and  recursion: 

FI- Af  :  T  FI-JV  :  r' 

PROD  :  r|.(^^jV)  :  rxr' 

PST  :  F 1-  /st  :  Vo/?  •  (a  X  ;3)  -  a 
SND  :  F  I-  snd  :  Vo/?  •  (a  x  /?)  -  /? 

FKP  :  bool  FKM  :  Q  F  t- JV  :  o 
■  ri-ifP  then  M  else  N  :  o 
EQ  :  F  I-  =  :  Vo  •  (o  x  o)  —  600/ 

REC  :  Fl-y  :  Vo(o-a)-o 

and  we  define  let  rec  x  =  M  in  N  aa  an  abbreviation  for  let  x  =  y’([i]Af)  in  TV. 

Every  NL  compiler  contains  a  type-checker  implementing  implicitly  the  above  inference  system. 
For  instance,  with  the  unary  functor  list  and  the  following  ML  primitives:  □  :  (list  o),  cons  : 
o  X  (list  o)  (written  infix  as  a  dot),  hd  :  (list  a)  -*  a  and  tl  :  (list  o)  -►  (list  o),  we  may  define 
recursively  the  map  functional  as: 

let  rec  map  f  I  =  if  I  =  Q  then  □  else  (/  (hd  1))  •  mop  /  (11 1) 


and  we  get  as  its  type: 


h  map  :{a-»  S)  -*  (list  a)  (list  0). 


Of  course  the  HL  compiler  is  not  implemented  directly  from  the  inference  system  above,  which  is 
non-deterministic  because  of  rules  INST  and  GEN.  It  uses  unification  instead,  ud  thus  computes 
deterministically  a  principal  type,  which  is  minimum  with  respect  to  <0: 
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MUner’a  Theoram.  Every  typaUe  expieuion  of  the  potymorphic  A-caUnlns  poesesses  a  principal 
type,  minimum  witb  respect  to  generic  instantiation  [129]. 

ML  is  a  stion^y  typed  programming  language,  where  type  inference  is  possible  because  of  the 
above  theorem:  the  user  need  not  write  type  specifications.  The  compiler  of  the  language  does 
more  than  type-checking,  since  it  actually  performs  a  proof  synthesis.  Types  disappear  at  run 
time,  but  because  of  the  type  analysis  no  dynamic  checks  are  needed  to  enforce  the  consistency  of 
data  operations,  and  this  allows  fast  execution  of  HL  programs.  ML  is  actually  a  generic  name  for 
languages  of  the  HL  family.  For  instance,  by  adding  exceptions,  abstract  data  types  (permitting 
in  particular  user-defined  functors)  and  references,  one  gets  approximately  the  meta-language  of 
the  LCF  proof  assistant  [66].  By  adding  record  type  declarations  (i.e.  labeled  sums  and  products) 
one  gets  L.  Cardelli’s  HL  [22].  By  adding  constructor  types,  pattern-matching  and  concrete  syntax, 
we  get  the  HL  presented  in  Chapter  1.  A  more  complete  language,  including  modules,  is  under 
design  as  Standard  HL  [130].  Current  research  topics  on  the  design  of  HL  -like  languages  are  the 
incorporation  of  object-oriented  features  allowing  subtypes,  remanent  data  structures  and  bitmap 
operations  [23],  and  “lazy  evaluation*  permitting  streams  and  ZF  expressions  [187,138]. 

Note  on  the  relationship  between  HL  and  A-calculus.  First,  HL  uses  so-called  call  by  value  im¬ 
plementation  of  procedure  call,  corresponding  to  innermost  reduction,  as  opposed  to  the  outermost 
regime  of  the  standard  reduction.  Lazy  evaluation  permits  standard  reductions,  but  closures  (i.e. 
objects  of  a  functional  type  a  fi)  are  not  evaluated.  Finally,  types  in  HL  serve  for  ensuring  the 
integrity  of  data  operations,  but  still  allow  infinite  computations  by  non-terminating  recursions. 

Remarkl.  The  complexity  of  Mb’s  type  computation  algorithm  has  been  recently  analysed  by 
Kanellakis  and  Mitchell[92l.  Rather  surprisingly,  the  problem  was  shown  to  be  PSPACE  hard.  This 
stands  in  contrast  to  the  linear  time  algorithm  which  may  be  used  to  compute  principal  types  in  the 
Principal  Type  Theorem  above.  This  may  be  explained  intuitively  as  follows.  Lambda  expressions 
typable  in  the  simple  type  discipline  possess  a  principal  type  which  is  computable  in  linear  time, 
like  for  combinatory  logic  above.  Mb’s  polymorphism,  and  typing  complexity,  arises  from  the  let 
construct.  Intuitively,  let  expressions  are  marked  redexes,  whose  parallel  reduction  is  simulated  by 
Mb’s  typing  algorithm.  The  exponential  factor  comes  from  a  possible  blow-up  in  the  size  of  the 
corresponding  reduced  term,  due  to  embeddings  of  let’s.  This  potential  exponential  blow-up  does 
not  seem  to  be  practically  problematical,  since  programmers  do  not  usually  write  expressions  with 
a  high  level  of  let  nesting. 


Remark2.  The  typing  rule  for  recursion  is  not  as  general  as  one  might  wish,  since  the  bound 
recursive  variable  may  not  be  used  p«fiymorphically  inside  the  body.  We  may  rather  define 
let  rec  z  =  A/  <n  W  as  an  abbreviation  for  let  x  =  itz  ■  M  in  N ,  where  the  ^  binding  op¬ 
erator  obeys  the  typing  rule: 

.  ru{z  :t}  I-  Af  :  T 
V  •  f 

With  this  new  convention,  we  may  now  typecheck  terms  such  as: 


let  K  =  [z]  [f]x  in  let  rec  F  =  [z](F’  (K  *)). 

However,  it  is  not  known  whether  such  an  extended  system  admits  a  principal  typing  algorithm[132] 
(and  even  whether  type-checking  stays  indeed  decidable.) 
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3.9  The  limits  of  HL ’s  polymorphism 

Consider  the  following  HL  definition: 

lei  rec  power  n/u  =  t/n  =  0  then  u  else  f  (power  (n  -  1)  /  u) 

of  type  nal  — »  (a  -»  a)  -►  (a  -►  a).  This  function,  which  associates  to  natural  n  the  polymorphic 
iterator  mapping  function  /  to  the  n-th  power  of  /,  may  be  considered  a  coercion  operator  between 
ML ’s  internal  naturals  and  Church’s  representation  of  naturals  in  pure  A-calculus  [30],  Let  us  recall 
briefly  this  representation.  Integer  0  is  represented  as  the  projection  term  [/]  Mu.  Integer  1  is 
[/]  M(/  u).  More  generally,  n  is  represented  as  the  functional  n  iterating  a  function  /  to  its  n-th 
power: 

ft  =  C/]M(/ (/...(/«)...)) 

and  the  arithmetic  operators  may  be  coded  respectively  as: 

n  -t-  m  =  [/]  M(n  /  (m  /  u)) 

n  X  m  =  [/](n  (m  /)) 
n”‘  =  (m  n). 

For  instance,  with  2  =  [/]  Cu](/  (/  u)),  we  check  that  2x2  converts  to  its  normal  form  4. 

We  would  like  to  consider  a  type 

NAT  =  Va  •  (a  -»  a)  -  (a  ^  a) 

and  be  able  to  type  the  operations  above  as  functions  of  type  NAT  —  NAT  — •  NAT.  However  the 
notion  of  polymorphism  found  in  HL  does  not  support  such  a  type,  it  allows  only  the  weaker 

Va  ■  ((q  — >  a)  -*  (a  -♦  a))  -»  ((a  — ►  o)  — ►  (q  q))  -►  ((o:  -*  q)  (a  — >  a)) 

which  is  inadequate,  since  it  forces  the  same  generic  instantiation  of  NAT  in  the  two  arguments, 

4  Polymorphic  A-calculus 

The  example  above  suggests  using  the  universal  type  quantifier  inside  type  formulas.  We  thus 
consider  a  functor  alphabet  based  on  one  binary  -♦  constnictor  and  one  quantifier  V.  We  shall 
now  consider  a  A-calculus  with  such  types,  which  we  shall  call  second-order  or  polymorphic  A- 
calcalus,  owing  to  the  fact  that  the  type  language  is  now  a  second-order  propositional  logic,  with 
propositional  variables  explidtly  quantified.  In  order  to  emphasize  this  connection,  we  actually 
write  ^  instead  of  — In  this  calculus,  we  shall  be  able  to  form  types  (propositions)  such  as; 

(V/t  •  4  =»  zl)  =>  (V/1  •  /I  =^  A). 

Such  a  calculus  was  proposed  by  J.Y.  Girard  [61,62],  and  independently  discovered  by  J.  Reynolds 
[155]. 
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4.1  The  inference  system 

We  now  hnve  two  kinds  of  varinbles,  the  variables  bound  by  A-abstraction,  and  the  propositional 
variables.  Each  kind  will  have  its  own  de  Bmijn  indexing  scheme,  bnt  we  put  both  kinds  of  bindings 
in  one  context  sequence,  in  order  to  ensure  that  in  a  A-binding  [x  :  P]  the  free  propositional 
variables  of  P  are  correctly  scoped.  A  context  F  is  thus  a  sequence  of  bindings  Cx  :  PI  and  of 
bindings  CA  :  Prop].  We  use  de  Bmijn  indexes  V(n)  and  P(n)  to  reference  respectively  the  two 
kinds  of  variables.  However,  there  is  a  slight  difficulty  if  one  tries  to  adhere  too  strictly  to  de 
Bmijn ’s  notation.  Consider  the  context  F  =  [A  ;  Prop]  [x  :  A]  [P  :  Prop] .  In  concrete  syntax,  we. 
write  F  h  X  ;  A.  But  if  we  use  de  Bruijn’s  indexes  for  propositional  names,  we  get  in  the  abstract 
syntax  F  I-  V(l) :  P(2),  i.e.  the  propositimis  have  to  be  relocated. 

In  order  to  remedy  this  notational  difficulty,  we  shall  assume  a  mixed  naming  scheme,  allowing 
concrete  names  for  &ee  variables  c£  expressions  as  well  as  integers  for  bound  variables.  The  binding 
operation  [x  ;  P]  M  denotes  now  the  abstract  CP]  Af where  M'  is  M  where  every  occurrence  of 
X  is  replaced  by  the  correct  de  Bruijn’s  index.  Similarly  we  provide  a  binding  operation  VA  ■  P  for 
propositional  variables.  Finally  an  operation  AA  ■  M  binds  a  propositional  variable  in  a  term. 

A  context  F  is  said  to  be  valid  if  it  binds  variables  with  well-formed  propositions.  Thus  the 
empty  context  is  valid,  if  F  is  valid  and  does  not  bind  A  then  FCA  ;  Prop]  is  valid,  and  finally  if 
r  is  valid  and  does  not  bind  x  then  FCx  :  P]  is  valid  provided  F  b  P  :  Prop.  This  last  judgement 
(propositional  formation)  is  defined  recursively  as  follows: 

CA  :  Prop]  6  F 
F  h  A  :  Prop 

F  h  P  :  Prop  F  h  Q  :  Prop 
F  I-  P  sa-  0  :  Prop 
FCA  :  Prop]  (-  P  :  Prop 
F  I-  VA  •  P  :  Prop 

Let  us  now  give  the  term-formation  rules.  We  have  two  more  constractors:  KA-M  which  makes 
a  term  pcdymorphic,  by  V-introduction,  and  <M  P>,  which  instantiates  the  polymorphic  term  M 
over  the  type  corresponding  to  proposition  P,  by  V-elimination. 


Vor 


[x  .  P]  e  F 


Ahstr 


Appl 


Inst 


Fhx  :P 
FhPtProp  F[i:P]l-Af:Q 
F  I-  [x  :  PIM  -.P^Q 
T\-M.P^Q  T\-N.P 
iy{M  N)-.Q 
F[A  :  Prop]  h  Af  :  P 
ri-  AA  M  :VA  P 
TV  M.'iAP  FhQ:  Prop 


Gen 


T\-<M  Q>-.  P{Q]p 

We  do  not  make  explicit  the  propositional  substitution  operation  P{Q}p,  which  is  defined 
similarly  to  the  A-calculus  substitution  Af{lV}  seen  previously.  The  latter  will  be  denoted  here  by 
M{N)v. 

Proposition  1.  If  F  is  valid,  then  T\-  M  :  P  implies  F  I-  P  :  Prop.. 
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We  leave  tlie  proof  of  such  easy  (but  tedious)  lemmas  to  the  patient  reader. 

Let  us  now  give  an  example  of  a  derivation,  let  Id  :=  AA  ■  Cz  :  A]x.  Id  is  the  polymorphic 
identity  algorithm,  and  we  check  easily  that  h  Id  :  One,  where  One  :=  VA  ■  A  =>  A.  Note  that 
indeed  One  is  well-formed  in  the  empty  context.  Now  we  may  instantiate  Id  aver  its  own  type 
One,  yielding:  )-<  Id  One  >:  One  ^  One.  The  resulting  term  may  thus  be  applied  to  Id,  yielding; 
I-  (<  Id  One  >  Id)  :  One. 

Similarly,  we  can  define  a  composition  operator  for  proofs,  whose  type  is  the  analogue  of  the  cut, 
or  detachment  rule; 

[P  ;  Prop]  eg  :  Prop]  W  :  Prop]  h  [/  :  P  =»•  g]  [p  :  g  =>  P]  [*  :  P](!,  (/  i))  :  ((P  =>  Q)  ^ 
(Q  ^  a)  =>(P=>  R)). 

We  shall  use  the  notation  /;p  as  a  shorthand  for  the  too  cumbersome  (< Compose  P  Q  R>  f  g), 
since  the  type  arguments  P,  Q  and  R  can  be  retrieved  as  subparts  of  the  types  of  /  and  g. 

4.2  The  conversion  rules 

The  calculus  admits  two  conversion  rules.  The  first  one  is  just  ji: 

^  '  rh(ix-.PiM  N) 

The  second  one  eliminates  the  cut  formed  by  introducing  and  eliminating  a  quantification: 

^  ■  ri-<AA  Af"P>  >M{P)p' 

Of  course,  we  assume  all  other  rules  extending  >  as  a  term  congruence,  as  usual.  We  may  also 
consider  analogues  of  the  q  rule. 

Proposition  2.  If  F  is  valid,  VhM-.P  and  T }-  M  t>  N  then  F  (-  W  :  P. 

4.3  The  syntactic  interpretation 

We  proceed  as  in  the  last  chapter.  However,  here  there  are  no  primitive  types.  In  order  to  have  a 
non-trivial  interpretation,  we  introduce  a  supplementary  constant  SI  to  our  untyped  A-terms.  Let 
An  be  the  set  of  such  terms,  and  SN  be  the  set  of  strongly  normalizable  terms  of  An. 

DeHnition.  A  subset  S  of  SN  is  said  to  be  saturated  iff 

•  VfVeSN  iM{N}Mt  ...  Af„)€5=^(DAf  AT  Afi  ...  M„)  6  5 

•  ne5 

•  Ni,...,NkeSN  Ni...Ni,)^S. 

Note  that  in  the  first  clause,  we  may  limit  ourselves  to  considering  M  and  the  Mi's  in  SN.  We 
write  5at  for  the  set  of  saturated  subsets  of  SN. 

We  now  define  the  interpretation  J  by  defining  for  every  term  M  its  corresponding  pure  term 
I(M)  =  t^Af),  where 

•  ‘'(V(n))  =  n 

•  «/([*:  P]Af)  = 
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.  v{(M  N))  =  {v{M)  u{N)) 

•  iiAAM)  =  u(M) 

•  v{<M  P>)  =  i>{M). 

Note  that  i'(M)  is  a  pure  A-tenn  constructed  over  the  list  of  free  variables  {*  |  [*:/*]  e  F}. 

Finally,  to  every  A  such  that  ZA  :  Prop]  E  F  we  associate  an  arbitrary  saturated  set  1(A). 
Let  /(F)  be  the  product  of  all  such  J(i4)*s.  We  define  recursively  the  interpretation  Ii(r)(P)  of  a 
proposition  P,  such  that  F  h  /* :  Prop,  as  follows: 

.  la(P  =>  <3)  =  {Af  I  VAT  €  Io(P)  (M  N)  6  Io(0)} 

.  lG(V.4  P)-nses.,Ioxs(/*) 

•  lo(A)  =  Ga- 

Example.  Z(/d)  =  □  1.  I(One)  contuns  all  stron^y  normalizable  terms  whose  canonical  form  is 
□  l,  plus  strongly  normalizable  terms  whose  canonical  form  has  head  variable  11. 

4.4  Basic  meta-mathematical  properties 

The  main  use  of  the  interpretation  above  is  to  prove: 

Girard’s  theorem.  If  F  is  valid  and  F  i-  Af  :  P,  then  1(M)  6  I(P)  6  Sat. 

Corollary  1.  v(M)  €  SN. 

Corollary  2:  Strong  normalisation.  The  conversion  t>  on  typed  terms  is  Noetherian. 

(Note  that  0'  alone  is  Noetherian). 

Definition.  Let  F  be  a  valid  context,  with  F  t-  P  :  Prop.  We  say  that  P  is  inhabited  in  F  iff 
Zl(r)(P)  contains  a  term  without  ll’s. 

Note  that  if  F  h  Af  :  P,  then  P  is  inhabited  (by  I(Af )).  We  know  obtain  the  consistency  of  the 
logical  system  as: 

Soundness  Theorem.  The  type  V  =  V4  ■  A  is  not  inhabited. 

Corollary.  There  is  no  tejm  Af  which  proves  V. 

Undecidability  Theorem  (Lbb).  The  following  problem  is  recursively  unsolvable:  Given  a  valid 
context  F  and  a  proposition  P,  with  F  I-  P  :  Prop,  find  whether  or  not  there  exists  an  M  such 
that  rhM:P.  ' 

The  second-order  A-calculus  does  not  admit  principal  types.  For  instance,  we  shall  show  below  that 
the  combinator  K  may  be  typed  in  several  incompatible  manners.  We  may  still  wonder  whether  it 
is  decidable  whether  an  arbitrary  pure  A-term  is  typable  in  the  system  or  not.  This  is  an  important 
open  problem: 

Problem.  Give  a  procedure  which,  given  a  pure  A-term  T,  decides  whether  or  not  there  exist  Af 
and  P  such  that  h  M  :  P,  with  T  =  •'(M).  Alternatively,  show  that  the  problem  is  undecidable. 
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4.5  Examples  of  polymorphic  proofs 

In  this  section,  we  demonstrate  the  power  of  expression  of  the  second-order  calculus  by  way  of 
examples. 

4.5.1  Intuitionistic  connectives 

We  first  show  that  the  other  propositional  connectives  are  definable  in  the  calculus.  It  is  well 
known  that  the  intuitionistic  connectives  are  definable  in  the  second-order  propositional  calculus. 
The  encoding  of  conjunction  was  already  proposed  by  Russell,  as  explained  in  Prawitz  [150]. 

Let  P  and  Q  be  two  propositions.  We  define  P  A  Q  as  the  proposition: 

PA(3  :=  VA  ■  (P  =>•  0  =»  A)  =>  A. 

As  usual,  we  associate  implications  to  the  right,  and  applications  to  the  left.  The  definition  above 
is  a  correct  encoding  of  A,  as  can  be  seen  from  the  derivation  of  the  standard  rules  of  conjunction: 

[P  :  Prop]  [Q  :  Prop]  [*  :  P]  [p  :  Q]  h  AA  •  [h  :  P  =>  Q  ^  A]  (h  a:  y)  :  P  A  Q 
[P:PropK(3:Prop][x:PAQ]h(<zP>  [u  :  P]  [v  :  Q]u)  :  P 
[P  :  Prop][<3  :  PropJCx  :  P  AQ]  h  (<x  Q>  [t,  :  P][v:  Q]v) :  Q. 

In  order  to  understand  this  sort  of  definition,  it  is  best  to  wonder  what  is  the  operational  use 
of  the  concept  one  is  trying  to  define.  Once  this  is  clear,  the  concept  can  be  easily  programmed. 
This  procedural  iaterpretatioa  is  faithful  to  the  intuitionistic  semantics.  For  instance,  P  A  Q  is  a 
method  for  proving  any  propomtion  A,  provided  one  has  a  proof  that  A  fidlows  from  P  and  Q. 
Note  that  the  proof  of  A-introduction  above  is  a  pairing  algorithm,  the  two  projections  being  the 
proofs  of  A-elimination  on  the  left  and  on  the  right. 

We  may  similarly  “program”  the  (intuitionistic)  sum  P  +  Q  of  two  propositions  P  and  Q: 

P  +  Q  :=  VA-(P=»- A)=>(0=s.A)=>  A. 

Sum  elimination  is  proved  by  the  conditional,  or  case  expression: 

CP  :  Prop]  [Q  :  Prop]  t-  AA  •  C»  :  P^  A]  [v  :  £?  =>  A]  [r  :  P  -(-  Q](<  i  A  >  u  v) 

:  VA  •  (P=>  A)  =»■  (0  =0  A)  =>  (P -I- 0)=>  A. 

The  two  sum  introductions  correspond  to  the  two  injections: 

CP  :  Prop]  [Q  :  Prop]  I-  [*  :  P]  AA  •  [«  :  P  =>  A]  [v  :  (?  =#■  A](u  i)  :  P  =i-  (P  -(-  Q) 

CP  :  Prop]  CQ  :  Prop]  h  Cy  :  <J]  AA  •  Cu  :  P  =>•  A]  C»  :  <?  =»  A](v  p)  :  Q  =►  (P  -I-  Q). 

4.6.2  -Classical  logic 

Classical  reasoning  is  reastming  by  cmitradictioa.  The  contradiction,  or  absurd  proposition,  proves 
every  proposition  A  by  mere  application; 

V  :=  VA-A. 

V  has  no  proof,  and  may  thus  play  the  r61e  of  the  truth-value  False.  Negating  a  proposition 
amounts  to  asserting  that  it  implies  V,  whence  the  concept  of  negation: 


-I  [A  :  Prop]  :=  A  =>  V. 

Tbe  Sheffer’s  stroke  A  |  B  (read  “A  contradictory  witk  fi")  may  be  defined  as: 

[A  :  Propl  1  [fl  :  Prop]  :=  A  =r  fl  =>  V. 

It  is  easy  to  show  VA  ■  VP  •  (A  |  B)  -<(A  A  B).  The  other  classical  connectives  may  be 
simply  expressed  in  term  of  |  : 

[A  :  Prop]  D  [B  :  Prop]  :=  A  |  ->B 
[A  :  Prop]  V  LB  :  Prop]  :=  (-.A)  |  (-.B) 

[A  :  Prop]  =  [B  ;  Prop]  :=  (A  D  B)  A  (B  D  A). 

Let  us  call  classical  closure  of  proposition  A  its  donble  negation: 

C([A:Prop])  :=  -i(-iA). 

Every  proposition  denies  its  negation; 

[A  :  Pr<^]  1-  tp  :  A]  [9  :  -.A](?  p) :  A  =r  C(A). 

The  reverse  implication  holds  only  of  classical  propositions: 

Ctassical(LA  :  Prop])  :=  C(A)  =»  A. 

We  can  show  that  V,-i ,  |  construct  only  classical  propositions,  and  thus  so  do  V  and  3.  Finally, 
A  preserves  the  property  of  being  classical,  and  thus  s  constructs  also  classical  propositions. 

Actually,  classical  reasoning  consists  in  general  in  showing  that  a  set  of  propositions  {Ai, ...,  An} 
is  contradictory.  The  connectives  V,-< ,  |  express  this  notion  for  n  =  0, 1,2  respectively. 

Let  us  remark  that  it  is  easy  to  prove  the  prindpe  cf  the  excluded  middle: 

LA.Prop]  t-</dC(A)>:-.AvA. 

Remsurk.  Many  other  encodings  of  the  propositional  connectives  may  be  used.  Let  ns  give  two 
alternate  definitions  for  classical  disjunction: 

[A  ;  Prop]  V'  [B  :  Prop]  :=  C(A  +  B) 

[A  :  Prop]  V"  CB  ;  Prop]  :=  VC  ■  Classicai(C)  =>  (A  =>  C)  =>  (B  =>  C)  =>  C. 

We  now  turn  to  axiomatizing  universal  algebra  and  abstract  data  types. 

4.6.3  Initisd  algebras 

We  first  show  how  to  formalize  the  elementary  notions  from  Algebra,  in  particular  the  notion  of 
free  algebra  over  a  given  signature.  We  start  with  the  homogeneous  case,  that  is  we  assume  in  the 
following  that  contexts  start  with  a  proposition  letter  taken  as  unique  sort;  [A  ;  Prop] . 

For  every  n  >  0,  we  defiqe  the  A-cardiaalfl  associated  to  n  by  induction: 

5=  A 

n  +  1  =  A  If. 

We  define  now  the  functionality  ^E)  associated  to  a  signature  S  represented  as  a  list  of 
operators  given  with  their  arity,  by: 

V(9)  =  A 

ip([F  :n]  E)  =  If  =»  v(E)- 

Such  definitions  are  easily  programmable  in  the  meta-language. 
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We  now  obtain  the  weekly  initial  algebra  associated  to  signature  S  by  abstracting  over  the  type 
given  as  carrier  of  the  algebra; 

/(S)  =  Vvl.vs(S). 

Let  us  now  consider  an  arbitrary  £-algebra.  That  is,  we  assume  we  place  ourselves  in  context  f  ; 


r  =  U  ;  Prop]  [fi  :Un  -[P.  :Ttn- 


If  M  :  /(£)  is  an  arbitrary  construction  of  an  element  of  the  initial  £-algebra,  we  call  image 
of  M  in  the  £-algebra  T  the  term  =  {<M  A>  Fj  •••  F,).  We  remark  thait  this  term  is 
well-formed,  with  type  A.  Tins  notion  of  image  corresponds,  classically,  to  taking  the  image  of 
M  by  the  unique  E-morphism  from  J(E)  to  F.  For  instance,  when  Mi  :  /(E),  Afa  :  /(S),  ...  , 
Mnt  :  /(S),  we  get  (F*  Mf  ■  •  ■  Mj[^) :  A.  We  define  thus  a  F*  operator  of  arity  n*  over  /(S),  that 
we  call  the  Fs-constmctor,  obtained  in  discharging  F,  and  a  list  of  ns  variables  of  type  /(E). 

Definition.  Let  E  be  an  arbitrary  signature  of  length  s: 

E=IFj:Wn  -  [F.-.fin. 

We  define  the  set  Dat(E)  of  data  elements  of  E  as  the  set; 


{i/(M)  I  M  =  AA-  [F,  ■■■  [F.  -.nriM  with  JV  canonical). 


Remark.  The  set  of  canonical  dements  in  Z(E)  has  too  much  redundamcy  if  we  do  not  assume 
the  t)  rule  of  conversion.  The  data  dements  restrict  consideration  to  the  A-terms  in  q-expanded 
normd  form: 

The  Repreneatntion  Theorem.  i>at(S),  structured  with  the  constructors,  is  isomorphic  to  the 
initial  algebra  in  the  clam  of  all  E-algebras. 

Problem.  Prove  the  theorem  above. 

4.B.4  Examples  of  data  types 

Let  ns  now  give  a  few  examples.  When  E  =  9,  we  get  /(E)  =  V,  the  empty  algebra.  When 
E  =  [t ;  0] ,  we  get  /(E)  =  One  :=  VA  •  4  ^  A,  and  the  (-constructor  is  /d  =  AA  •  [i ;  A](. 

With  E  =  [f ;  0]  [/  :  01,  we  get:  /(E)  =  Bool  ;=  VA  •  A  =>  A  ^  A,  and  the  two  constructors 
are  the  Booleans  of  Church  [30]: 

True  :=  AA  •  [<  :  A]  [/ :  A]  f 
Folse  :=  AA  •  [f :  A]  [/  :  A]  /. 

When  E  =  Cs  :  1]  Cs  :  0],  we  get  /(E)  =  Nat,  Church’s  naturals  : 

Nat  :=  VA  •  (A  =>■  A)  =»  A  =♦  A 

S  :=  i:n:Wo<]AA[s:A=>  A]tr:A3(s(<n  A>  s  »)) 

0  :=  AA  -  [s  :  A  A]  C*  :  A]  z. 

When  E  =  [e  ;  2]  [n  :  0],  we  get  /(£)  =  Bin,  the  binary  trees: 

Bin  :=  VA  •  (A  A  A)  ^  A  A 

Cona  :=  [oi  :  Bin]  [os  :  Bin] AA  •  [e  :  A  ^  A  =>  A]  [n  ;  A]  (c  (<ai  A  >  c  n)  (< O]  A  >  c  n)) 

Nil  :=  [A  :  Prop]  [e  :  A  ^  A  =>  A]  Cn  :  A]  n. 
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4.5.5  Generalisation  to  non-homogeneous  algebras 

It  is  straightforward  to  generalize  these  notions  to  the  non-homogeneons  case,  introducing  as  many 
sorts  as  necessary.  For  instance,  the  list  structure  is  axiomatized  on  two  sorts  A  and  B  as  follows: 
List  :=  >/A,B  (A^^  B  =>  B)=>  B  =>  B. 

The  operation  of  adding  an  element  to  a  list  is  polymorphic.  Let  us  consider  the  list  schema,  over 
proposition  A: 

List  A  ^B{A=>  B  =>  B)^  B  ^  B. 

We  now  define,  in  context  F  =  [A  :  Prop] : 

Add  :=  [i :  ^]  [L  :  {List  A)]AP  ■  [c  :  A  =>  P  =►  J5]  [e  :  JJ]  (c  *  (<  t  fl>  c  e)) 

:  VA  •  A  =>  {List  A)  ^  {List  A). 

We  remark  the  analogy  with  KL ’s  list  constructor.  Here  the  empty  list  is  doubly  polymorphic: 
Empty  :=  AA  •  Afl  •  [c  :  A  B  =>  P]  [e  :  P]e  :  List. 

More  generally,  we  may  define  all  the  data  structures  corresponding  to  bee  algebras.  We  remark 
that  the  corresponding  propositions  are  restricted  to  degree  2,  with  the  degree  S  defined  as: 

•  d(A)  =  0  {A  variabie) 

•  d(VA  ■  M)  =  S{M) 

•  6{P  =>Q)  =  maz{l  +d{P),«(0)}. 

Problem.  Generalize  the  Representation  theorem  above  to  the  non-homogeneous  case. 

4.6.6  Second-order  suithmetic 

Let  us  give  a  few  examples  of  programs  over  naturals.  Addition  is  obtained  by  iterating  successor: 
Plus  :=  Im  :  NaOtn  :  Na(}{<n  Nat>  S  m). 

Other  definitions  are  possible.  Multiplication  is  similarly  obtained  by  iterating  addition: 

Times  :=  [m  :  IVat]  [n  :  Afal](<  n  Nat  >  {Plus  m)  0). 

We  may  also  “see”  our  naturals  as  polymorphic  iterators.  Another  possible  definition  of  multi¬ 
plication  of  m  and  n  would  thus  be  the  composition  m;n. 

Exponentiation  is  obtained  by  iterating  multiplication: 

Exp  :=  [m  :  Nat]  [n  :  Nat]{<n  Nat>  {Times  m)  (5  0)). 

Iterating  a  natural  on  a  functional  type  may  produce  non-primitive  recursive  functions;  for 
instance  we  get  Ackermann’s  function  by  diagonalization: 

Aek  :=  [n  :  Pot](<n  (ATot  ^  Afat)>  ([/ :  Pot  ^  Pot]  [m  :  Pot]  (<m  A?at>  f  m))  S). 
Indeed,  most  (total)  recursive  functions  are  definable  as  proofs  in  this  formal  system: 

Theorem.  (Girard  [62].  See  also  [173]).  Every  recursive  function  provably  total  in  second-order 
arithmetic  is  definable  as  a  proof  of  type  Pot  ^  Pot  in  the  polymorphic  A-calculus. 

4.6.7  Algebraic  Programming 

We  may  consider  the  polymorphic  A- calculus  a  powerful  applicative  programming  language.  It  is 
both  poorer  than  ML  ,  in  that  no  universal  recursion  operator  is  available,  and  richer,  in  that  it 
provides  a  more  complicated  type  structure.  The  price  to  pay  is  that  there  is  no  algorithm  for 
synthesizing  a  principal  type. 
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This  langaage  is  revolutionary,  in  that  it  confuses  data  structures  and  control  structures.  Here, 
a  data  structure  is  but  an  unfulfilled  control  structure,  waiting  for  more  arguments  to  be  able  to 
“compute  itself  out”.  Thus  to  each  of  the  data  types  seen  above  corresponds  naturally  a  control 
structure.  For  One  it  is  just  the  identity  algorithm.  For  Bool  it  is  the  notion  of  conditional; 
that  is,  if  6  :  Bool  and  M  :  A,  N  :  A  are  the  two  branches  of  the  conditional,  the  expression 
If  b  Then  M  Else  N  may  be  implemented  ss  {<b  A  >  M  N)  :  A.  For  Nat,  the  pcdymorphic 
natural  n  :  Nat  may  be  thought  of  as  the  construction  for  1 ;  ■  1  to  n  do.  Compare  this  with 
Iterate  n,  as  defined  in  1.1.1.  Note  that  equality  to  zero  is  easily  defined  as: 

EqZero  :=  In  :  N a(i{< n  Bool >  fb  :  Bool} False  True). 

As  remarked  above,  the  conjunction  connective  builds  in  product.  Writing  alternatively  Ay.  B 
for  A  A  B  as  defined  above,  we  get  the  pairing  and  projection  algorithms  as  proofs  of  respectively 
A-intro  and  A-elim: 

Pair  :=  AA.B  •  [a  :  A]  [y  :  fl]AC  •  [A  :  A  =>■  B  =>  C](h  i  y) 

Fat  :=  AA,fl  •  [a  ;  A  X  B](<x  A>  [u  :  A]  [t> :  Bju) 

5nd  :=  AA,B[a:AxB](<iB>  Cu  :  A]  Co  :  Bju) 

Thus,  for  instance,  for  any  types  A  and  B,  <Fst  A  B>:  A  x  B  =>  A,  just  as  in  HL  . 

However,  the  sum  constructor  is  different:  there  is  no  analogue  of  the  operators  outl  sjid  outr 
here,  since  all  the  functions  we  may  define  are  total: 

Cose  :=  AA,B  •  [a  :  A  +  B]AC  •  [«  :  A  C]  [o  :  B  ^  C](<  I  C>  no) 

Ini  :=  AA,fl.[a:A]ACCti:  A  =>C]  Co:  B=»-C](u  a) 

/nr  :=  AA,B  •  Ca  :  BjAC  •  Cu  :  A  =>•  C]  Co  :  B  =>  C3(o  a) 

4.5.9  Primitive  recnnion 

It  is  possible  to  represent  standard  program  schemas  by  combinators.  For  instance,  it  is  shown  in 
[39]  how  to  define  simple  primitive  recursive  schemes. 

4.5.9  Ordinsda 

All  the  propositions  (types)  considered  above  are  very  simple,  since  they  are  restricted  to  degree  2. 

With  more  complex  types,  we  may  define  richer  data  structures.  For  instance,  Th.  Coquand  [36] 
has  shown  how  to  define  ordinal  notations,  as  an  extension  of  the  naturals  above.  We  just  enrich 
Nat  with  a  limit  operation,  which  associates  an  ordinal  to  a  sequence  of  ordinals,  represented  as  a 
function  of  domain  Nat.  We  define  thus: 

Otd  :=  VA  •  {(Nat  ss-  A)  A)  =»■  (A  =>•  A)  =#•  A  A 

Olim  :=  C<r:/fat:>Ord]AA-CIi:(Afat^ A)^ A]  Cs:A^  AJ Cz: A](Ii  Cn:lVot](<((r  n)  A >  Its  z)) 
Osuec  :=  Co  :  OrdlAA  ■  Ui :  (Nat  ^  A)  A]  Is :  A  ^  A}  [z  :  (s  (<  a  A>  s  z)) 

Oxero  :=  AA  •  C/» :  (Nat  =>  A)  A]  C*  :  A  =>  Aj  Cz  :  A]  z. 

It  is  straightforward  to  coerce  a  natural  into  the  corresponding  ordinal,  which  defines  the 
sequence  of  finite  ordinals; 

Finite  :=  [n  :  Nat]  (<n  Ord>  Osuec  Oxero). 

Note  that  we  instantiate  the  polymorphic  natural  n  over  type  Ord.  Thus  the  meaning  of  type 
quantification  is  to  quantify  over  an  arbitrary  proposition  definable  in  the  calculus,  and  not  simply 
over  some  totality  circumscribed  to  the  construction  at  hand.  In  other  words,  the  calculus  is 
inherently  non  predicative,  and  we  are  using  this  feature  in  an  essential  way. 


26 


The  first  transfinite  ordinal,  u,  may  be  simply  obtained  as  limit  of  finite  ordinals; 
u  :=  (Olim  Finite). 

We  may  program  over  ordinals  the  same  way  we  do  with  naturals: 

Oplus  :=  La  :Or<QZ^  :Ord](<^  Ord>  OlimOtncea) 

Otimea  ;=  Co  :  Ord]  [/J  :  0r<fl(</3  Ord>  Olim  (Opiua  a)  Ozero) 

Oexp  :=  [a  :  Ord]  [/3  :  Ord](</}  Ord>  OJim  (Otimea  a)  (Oaucc  O zero)). 

Our  ordinals  are  in  fact  ordinal  notations,  i.e.  ordinals  presented  by  fundamental  sequences.  In. 
particular,  (Oplua  (Oaucc  Ozero)  m)  and  u>  are  two  distinct  constructions. 

We  may  get  the  ordinal  co  as  the  iteration  (Oexp  u  (Oexp  u  •  ■  ■)); 
fo  :=  (<u  Ord>  Olim  (Oexp  ui)  Ozero). 

We  may  now  use  ordinals  to  define  functional  hierarchies.  First,  we  give  preliminary  definitions 
concerning  integer  functions: 

Incr  ;=  [/  :  Nat  ^  Wat]  [n  :  Wat]  (S  (f  n)) 

Iter  :=  [/  :  Nat  Nat)  [n  :  Wat]  (<n  Nat>  /  n) 

Diag  :=  [<T  :  Nat  =>  Nat  =>■  Wat]  Cn  :  Wat]  (o  n  n). 

Schwichtenberg’s  fast  hierarchy  may  be  defined  as: 

Faat  :=  [o  :  Ordi(<a  (Nat  =>  Nat)>  Diag  Iter  Oaaec) 

and  the  slow  hierarchy  is  defined  similarly  (note  that  we  just  change  the  successor  argument): 
Slow  :=  [a  :  Ord](<oi  (Wat  =>  Wat)>  Diag  Incr  Oauce). 


It  is  to  be  noted  that  (Faat  eo)  is  a  total  recursive  function,  but  this  fact  is  independent  (i.e. 
undecidable)  from  Peano’s  arithmetic  [58,100]. 

5  The  Calculus  of  Constructions 

5.1  Designing  a  higher-order  system 

The  first  step  consists  in  extending  the  polymorphic  A-calculus  in  order  to  allow  the  binding  of 
proposition  schemas.  This  permits  the  definition  of  propositional  connectives  inside  the  formalism. 
For  instance,  in  polymorphic  A-calculus,  we  defined  A  at  the  level  of  the  meta-notation;  A  was  just 
a  macro  of  the  meta  language  expanding  into  a  proposition  of  the  formal  system.  Now  we  want  to 
be  able  to  write  A  as  a  combinator  internally. 

Next  we  abstract  on  such  propositional  connectives,  leading  to  a  higher-order  propositional 
calculus.  The  first  problem  we  encounter  is  a  notational  one.  We  shall  have  to  distinguish  between 
the  proposition  schemas,  where  some  variable  is  functionally  abstracted,  and  the  propositions  where 
the  same  variable  is  universally  quantified. 

Convention.  We  shall  keep  the  square  brackets  for  functional  abstraction,  and  use  parentheses 
for  universal  quantification,  using  the  traditional  notation  (x  :  A)M. 

The  second  extension  consists  in  adding  a  first-order  part,  allowing  quantification  and  abstrac¬ 
tion  on  “elements”.  The  natural  question  to  investigate  is;  what  are  we  going  to  choose  as  the  types 
of  the  elements?  The  simplest  decision  is  to  follow  once  more  the  Curry-Howard  paradigm:  we 
already  have  the  proofs,  as  elements  of  the  types  the  propositions.  This  gives  us  not  only  Ist-order 
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lofpc,  but  higher-iwder  logic  as  well,  ainoe  an  implication  will  play  the  role  of  a  functional  type,  and 
tbos  we  encompass  Cbnrcb’s  theory  of  types  just  because  we  shall  have  intuitionistic  propositional 
calculus  as  a  sub-system  of  the  propositions.  We  may  wonder  why  it  is  legitimate  to  use  the  proofs 
as  elements:  aren’t  we  pre-snpposing  some  structure  of  our  domains?  Actually  not,  since  the  proofs 
are  the  bare  bones  of  a  functional  type  system:  they  sue  nothing  more  and  nothing  less  than  the 
A-expressions  of  the  right  type. 

Let  ns  thus  assume  that  we  have  propositi<»is  closed  under  quantification  (z  :  P)Q  and  abstrac¬ 
tion  Lx  :  nQ.  The  first  remark  is  that  implication  becomes  a  derived  notion:  P  ^  Q  is  just  a 
notational  variant  for  (z  :  P)Q  in  the  special  case  when  z  does  not  occur  in  Q.  What  we  shall  now 
get  is  an  intuitionistic  version  of  Church’s  theory  of  types  with  dependent  products. 


5.2  The  Calculus  of  Constructions,  first  version 
6.2.1  The  inference  system 

Let  us  now  introduce  explicitly  a  constant  Prop  for  the  type  of  propositions.  At  the  level  of  proofs 
LP  :  f’rop]  M  gives  us  what  we  wrote  previously  AP  ■  M.  Similarly,  quantifying  a  proposition  over 
Prop,  as  in  (P  :  Ptop)Q,  gives  us  what  we  wrote  previously  VP  ■  Q.  This  suggests  unifying  also 
the  notation  <M  P>  with  (M  N).  We  thus  arrive  at  a  very  simple  calculus. 

The  types  of  propositirm  schemas  ate  formed  by  quantification  over  the  constant  Prop.  Let  us 
use  the  omstant  Type  for  denoting  all  such  types.  We  thus  have  two  “kinds”  of  types:  the  types 
in  the  sense  of  Church’s  type  theory,  which  here  are  all  the  terms  of  type  Type,  and  the  types  in 
the  sense  of  the  propositions  as  types  prindple,  which  are  here  all  the  terms  of  type  Prop.  In  the 
following,  we  use  the  meta-variable  K  (for  an  arbitrary  kind)  to  stand  for  either  of  the  constants 
Type  and  Prop. 

In  all  the  fallowing  rules,  T  is  assumed  to  be  a  valid  context,  where  the  rules  for  valid  contexts 
are: 


s  The  empty  context  {}  is  valid. 

s  If  r  is  a  valid  context  which  does  not  bind  variable  z  and  T  hT  :  K  then  F  [z  :  T]  is  a  valid 
context. 

s  If  r  is  a  valid  context  which  does  not  bind  variable  t  then  FCf :  Type]  is  a  valid  context. 


The  first  rule  concerns  accessing  variables  in  a  context: 


Van 


Lx -.Tier 
rt-z:T  ■ 


The  above  rule  is  shorthand  for  F  I-  Var{k)  :  T*"!*"*)  when  F*  =  [z  :  21 . 
We  state  that  Prop  is  the  only  pre-defined  atomic  type: 


Prop :  F  h  Prop :  Type 

More  types  are  obtained  by  quantification,  seen  as  generalized  product: 

Product  A# -Type 

r  h  (A  :  P)M  :  Type 

Similarly,  quantiflcatiou  on  propositions  gives  more  propositions: 

Ft-P:ff  rM:P]l-M:  Prop 


Quant ;  • 


r  I-  (A  :  P)Af  :  Prop 
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Finally,  we  have  term  fonnation  nilea: 

,  rhr:iir  rc*  :  n  l- P  :  ir'  Tix-.T1\- M  :P 
'  n- [*:T]Af  :(x:r)P 

,  ri-M:(i:T)P  ri-JV:T 

T\r(M  N)-.P{N} 

Remark.  The  constant  Type  is  a  ‘Hype  of  ail  types”.  However,  it  is  not  itself  of  type  Type. 

Deflnitions.  Let  T  M  •.  N,  with  F  a  valid  context.  When  N  =  Type,  we  say  that  M  is  a  valid 
F-type.  When  N  =  Prop,  we  say  that  i(f  is  a  valid  T-proposition.  Finally,  when  F  I-  Jlf  :  IV, 
with  N  a  valid  F-proposition,  we  say  that  11/  is  a  F-e/einent.  The  pure  system  of  Constmctions 
is  obtained  by  deleting  the  third  rule  cf  context  fonnation,  which  allows  the  introduction  of  Type 
variables.  In  the  pure  system,  the  only  primitive  type  is  Prop,  and  thus  the  only  valid  types  are 
the  products  of  the  form  :  Pi  )(Aj  :  Pj)  •  •  •  (An  :  Pn)Prop. 

We  shall  use  a  number  of  abbreviations.  First,  we  write  t-  11/  ;  P  for  {}  t-  H/  :  P.  Then,  we  pve 
notations  for  the  non-dependent  products,  that  is  for  terms  (u  ;  P)Q  in  the  case  where  u  does  not 
occur  in  Q.  When  both  P  and  Q  are  propositions,  we  write  P  ^  Q.  In  other  cases  we  write  rather 
P  -» <3.  Finally,  we  abbreviate  (A  ;  Prop)M  into  VA  ■  M  and  [A  ;  Pr«^]  M  into  AA  •  M. 

5.2.2  Adding  type  conversion 

In  the  polymorphic  A-calculus  seen  in  the  last  chapter,  we  defined  propositional  connectives  as 
abbreviations.  Thus  for  propositions  P  and  Q,  the  notation  P  t\Q  was  just  a  meta-linguistic 
notation  for  the  appropriate  proposition.  In  the  new  calculus  under  consideration,  connectives  are 
indeed  definable  as  expressions,  and  propositions  are  formed  using  the  general  rules  of  A-calculus. 
We  should  therefore  expect  to  need  internal  reduction  rules  for  playing  the  role  of  macro-expansion. 

It  is  indeed  the  case  that  such  rules  are  necessary  for  type-checking.  For  instance,  let  us  assume 
we  define  conjunction  along  the  ideas  of  the  previous  chapter: 

A  :=  [P  ;  Prapi  [Q  :  Propi{R  :  Prop)(P  ^  Q  R)  =>  R. 

Now  if  we  try  to  define  the  first  projection,  in  a  context 

F  =  [P  :  Prop]  IQ  :  Prop]  [*  :  (A  P  (?)], 

we  shall  be  unable  to  form  the  term  (x  P),  unless  we  are  able  to  recognize  that  the  type  (A  P  Q) 
is  equal  (by  ^-conversions  to  (R  :  Prop)  •  ■ 

The  above  discussion  shows  that  some  amount  of  type  equality  rules  must  be  provided  in  a  higher- 
order  calculus.  To  what  extent  such  rules  should  be  explicit  (from  the  point  of  view  of  a  user 
checking  a  derivation  using  inference  rules)  is  unclear.  For  instance,  we  may  profit  from  meta- 
theoretical  results  (confluence,  strong  normalization)  and  convert  all  types  to  normal  form  using 
A-calculus  reduction  rules.  Now  type  equality  is  just  identity  of  such  canonical  forms.  But  there 
is  an  obvious  drawback  here:  we  may  spend  useless  time  converting  to  normal  form  some  types 
which  could  be  Ncognized  as  diflferent  immediately  by  inspection  of  their  head  normal  form.  Thus 
[t( :  A]  [o  :  A](u  ■  ■  ■)  and  [ti :  A]  Co  :  A}(o  ■  •  •)  need  not  be  reduced  any  further.  This  problem 
is  aggravated  by  the  fact  that  the  higher-order  nature  of  the  calculus  makes  it  possible  to  have 
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6.2.S  Example 

We  want  to  define  the  intenection  of  a  class  of  classes  on  a  given  type  A.  A  natural  attempt  is  to 
take 

/nter  :=  K  ■  {A -*  Prop)-*  Prop^lic  :  Ai(P  :  A-*Prop){C  P)-*(P  x). 

Let  us  place  ounelves  in  the  context 

r=  DCo  :  {A-*  Prop)-* Prop]  IPo  :  A-*Prop1[po  :  (Co  ft)]- 
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We  shall  build  a  proof  of  the  inclusion  of  the  predicate  (Inter  Co)  in  the  predicate  Po-  f'Ct  ns 
consider 

A  =  r  [i :  ii]  [h  :  (Inter  Co  x)2. 

We  want  to  build  with  pa>  x,  h,  Po,  Co  a  term  of  type  (Po  x). 

Intuitively,  h  which  is  of  type  (Inter  Co  x)  is  also  (by  logical  conversion  using  the  definition  of 
Inter)  of  type  (P  :  A Prop)(Co  P)  =>  (P  x),  and  thus  we  may  construct  the  term  (k  Po  po)- 
Now,  taking: 

Suisei  :=  [P  :  A-*Ptoi^  [(J  :  ,4 -►  Prop] (x  :  A)P(x)^Q(x)  :  (P  :  A-*Prop)(Q  :  A-* Prop)Prop, 
we  get 

r  (-  lx  :  AlCh  -.(Inter  Co  x)1(h  Pa  po)  :  (Subset  (Inter  Co)  Po). 

This  example  shows  that  the  conversion  of  types  rules  aie  absolutely  needed  as  soon  as  one  wants 
to  develop  mathematical  proofs  (note  that  this  example  can  be  developed  in  the  restricted  calculus 
as  well  as  in  the  full  calculus).  The  need  for  conversion  rules  is  equally  emphasized  in  [121]  and 

[166]. 

5.2.4  Consistency 

Definition.  A  proposition  h  P  :  Prop  is  inhabited  if,  and  only  if  there  is  an  element  term  M  such 
that  i-  M  :  P. 

Consistency  Theorem.  The  Calculus  of  Constructions  is  consistent,  in  the  sense  that  there  exists 
a  proposition  which  is  not  inhabited. 

The  intuitive  meaning  of  this  statement  is  that  the  calculus  does  not  prove  all  its  well-formed 
propositions.  Indeed,  the  terra  X  :=  VA  •  A  is  such  a  proposition. 

5.3  Examples  of  constructions 

All  the  examples  discussed  in  polymorphic  A-calculus  can  be  developed  without  modification  in  this 
new  calculus,  which  extends  it  in  a  natural  way.  Let  us  now  show  how  quantifiers  can  be  expressed 
ill  tlio  calculus. 

5.3.1  Universal  Quantification 

Universal  quantification,  or  general  product,  is  implicit  from  the  notation: 

n  :=  AA  lP  :A->  Prop]  (i  :  A)(P  x). 

11-iiiiroduction,  i.e.  universal  generalization,  is  proved  by  abstraction: 

Gen  :=  AA  •  IP  :  A -*  Prop]  AB  ■  If  :  (x  :  A)  B  =>  (P  x)]  [y  :  B]  [i  :  A](f  x  y) 

:  VA  ■  (P  :  A  -*  Prop)VB  .  ((x  :  A)  B  =>  (P  x))  =>  (B  =>  (H  A  P)). 

Similarly,  Il-elimination  is  proved  by  instantiation,  i.e.  application: 

Inst  :=  AA  •  CP  :  A  -♦  Prop]  [x  :  A]  [p  ;  (11  A  P)]  (p  x) 

:  VA  •  (P  ;  A  Prop)(x  :  A)(n  A  P)  =>  (P  x). 
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5.3.2  Exiatential  Quantifleation 

Existential  quantification,  or  general  sum,  can  be  defined  by  a  generalization  of  the  binary  sum: 

E  :=  AA .  [P  :  A  -  J>rop]VB  •  ((i :  A)  (P  i)  =>.  B)  =>  B. 

We  leave  if  as  exercise  to  the  reader  to  prove  existential  introduction  and  elimination: 

Exist  :=  VA  •  (P  :  A  -*  pTop)(x  :  A)  (P  i)  =>  (E  A  P) 

Witness  :=  VA  •  (P  :  A  —  Prop)  (E  A  P)  =»  A. 

Note  that  in  a  certain  sense  existential  quantification  is  an  abstraction  mechanism:  from  (E  A  P) 
it  is  possible  to  get  some  a  :  A  such  that  (P  a),  but  not  the  proof  p  :  (P  a)  that  it  indeed  satisfies 
predicate  P.  Thus  the  existential  quantification  of  the  calculus  of  constructions  is  fundamentally 
different  from  the  sum  in  Martin-LoPs  calculus  [122]. 

5.3.3  Equality 

Leibniz’  equality  is  definable  in  the  calculus: 

Equal  :=  AA  ■  [i  :  A]  [y  :  A](P  :  A  — ►  Prop)(P  i)  =>  (P  y). 

Exercise.  Define  the  properties  for  a  polymorphic  relation  to  be  reflexive,  symmetric  and  transi¬ 
tive.  Give  the  three  proofs  that  Equal  verifies  these  properties. 

5.3.4  Tarski’s  theorem 

Let  us  now  present  a  simple  example  of  a  higher-order  proof.  The  goal  is  to  prove  Tarski’s  theorem 
[186]: 

Tarski’s  Theorem.  A  function  monotonous  over  a  complete  partial  ordering  admits  a  fixpoint. 

The  first  difficulty  in  formalizing  Tarski’s  theorem  is  to  give  it  in  as  abstract  a  setting  as  possible, 
in  order  to  get  the  most  direct  proof.  Let  us  try  the  following.  Let  A  be  a  set,  B  a  transitive 
relation  over  A  which  is  complete,  in  the  sense  that  every  subset  of  A  has  a  least  upper  bound.  Let 
/  :  A  -♦  A  be  monotonously  increasing.  Then  /  admits  a  fixpoint. 

We  must  now  formalize  the  notions  of  set,  subset,  and  fixpoint.  A  simple  attempt  at  axiomatizing 
sets  consists  in  assunung  some  type  A  pven  with  an  equality  relation  = ,  and  to  represent  sets  in  the 
“universe”  A  by  their  characteristic  predicate,  i.e.  as  elements  of  type  A  ->  Prop.  As  for  fixpoint. 
it  turns  out  that  all  we  need  to  require  is  that  for  some  X  we  have  (B  (/  X)  X)  and  (B  X  (/  X)}. 
That  is,  the  only  property  of  equality  that  is  needed  here  is  the  fact  that  B  is  anti- symmetric. 

We  thus  assume  that  we  are  in  a  context  T,  containing  the  following  hypotheses: 

[A  :  Tppe] 

[  = :  A  -»  A  -*  Prop2 
[B  :  A  -+  A  -*  Prop] 

[Strans  :  (x  :  A)(y  :  A)(z  :  A)(B  *  y)  ^  (B  y  z)  ^  (B  x  z)] 

CBanttsym  ;  (x  ;  A)(y  :  AXA  x  y)  (B  y  x)  =>  (=  x  y)] 

[iim  :  (A  -♦  Prop)  -*  A] 

CUpperb  :(P  :  A-*  Brop)(y  :  A)(P  y)  (B  y  (Km  P))J 
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ILeaat :  (P  :  A  -*  PTop){y  :  A)((z :  A)(P  i)  ^  (H  z  y))  ^  (Jl  (lim  P)  y)] 

[/  :  A  -  a: 

liner  :  {x  :  A)(y  :  A)(fl  x  y)  ^  (R  (/  i)  (/  y))] 

Now  we  consider  the  predicate  Q  defined  as: 

<3  :=  lu  :  A](R  u  (f  «)) 

(that  is,  Q  is  the  set  of  pre-iixpoints  of  /)  and  the  element  X  :  A  defined  as: 

X  :=  (limQ). 

The  first  part  of  the  proof  consists  in  showing  a  proof  of  (R  X  (/  X))  in  context  T.  Let  us  first 

consider  A  =  Tty  :  A]  [h  :  (<3  y)],  and  terms  Af  =  (Upperb  Q  y)  and  N  =  {Incr  y  X).  We  get: 

A  I-  M  :  (P  y  (/  y))  (fi  y  X),  and: 

A  h  N  :  (R  y  X)  ^  (Rif  y)  (f  X)).  Composing  the  two  proofs  we  get: 
AhM-,N:(Rylfy))^  (R  {/  y)  (/  X)). 

Thus,  taking  p  =  (Af;  N  h),  we  obtain: 

A  h  (Rtrans  y  (f  y)  (/  X)hp):(Ry  (/  X)). 

Discharging  the  hypotheses  h  and  y,  we  get  T  =  [y  :  A]  [h  :  (Q  y)](Atrans  y  (/  y)  (/  X)  h  p) 
such  that: 

ri-T:VyeQ-(fly(/X)). 

The  proof  is  completed  by  constructing  U  =  (Least  Q  (f  X)  T),  since: 

Ti-U  :(RX  (f  X)). 

The  second  part  of  the  proof  is  the  converse.  Taking  Z  =  (Incr  X  (f  X)  U),  we  get; 
r  H  2  :  (fl  (/  X)  (/  (/  X))) 

but  since  this  last  proposition  converts  to  (Q  (/  X)),  we  get; 
r  I-  (Upperb  Q  (f  X)  Z) :  (R  (}  X)  X). 

The  proof  of  Tarski’s  theorem  is  thus  obtmned  as: 
r  h  (Rantisym  (f  X)  X  (Upperb  Q  (f  X)  Z)  V)  :  (=  (/  X)  X). 

Exercise.  Use  the  above  argument  and  the  quantifier  manipulation  combinators  above  to  prove 
Tarski’s  theorem  as  a  fully  quantified  statement. 

Numerous  examples  of  proofs  verified  on  machine  are  presented  in  [39].  A  general  discussion  on 
the  formalization  of  mathematical  arguments  in  higher  order  intuitionistic  logic  is  given  in  [164]. 

6  A  constructive  theory  of  types 

Let  us  now  augment  the  Calculus  of  Constructions  with  rules  allowing  for  the  abstraction  over  all 
types.  The  first  natural  attempt  is  to  allow  Type  :  Type.  would  thus  get  a  system  of  rules  very 
close  to  the  one  considered  by  P.  Martin-Lof  in  (118).  H  e\  ,  this  was  shown  to  be  inconsistent 
by  Girard,  who  showed  that  it  was  possible  to  encode  the  paradox  of  Burab-Forti  in  such  a  system. 
An  abstract  analysis  of  such  paradoxes  is  ^ven  by  Coquand  in  [37].  Coquand  showed  that  it  was 
possible  to  quantify  propositions  over  all  types,  but  not  other  types  such  as  product  types.  Such  a 
system  is  presented  below. 
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6.1  A  system  for  uniform  proofs 

First,  two  rules  provide  for  abstraction  over  all  types: 


^  .  ret :  Type]  i-  P  :  Prop 

TypeQuant  =  p  ^  .  Type)P  ;  Prop 

^  ,  rct :  Type]  I-  P  :  Prop  Fft  :  Type]  M  :  P 

= - rh[t:rype]Af:(t:rype)i> - ' 

Finally,  we  give  one  more  type  conversion  rule: 

_  .  r._  rC*  :  Type]  I-  P  :  Prop  FCt  ;  Type]  h  i>  =  Q 

• - rh(t:Type)P  =  (f  :  Type)Q - ' 

In  such  a  system,  we  may  now  abstract  the  above  proof  of  Tarski’s  theorem. 


6.2  A  system  with  a  hierarchy  of  universes 

It  is  even  possible  to  iterate  the  idea  of  a  type  gathering  all  the  types  obtained  so  far.  One  thus 
gets  a  system  with  a  hierarchy  of  universes  like  in  Martin-Lof’s  system  [122].  Let  us  present  along 
those  lines  Coquand’s  Generalized  Calculus  of  Constructions  [37]. 


6.2.1  Terms 

1.  Type(i),  for  >  non-negative  integer,  and  Prop  are  terms 

2.  a  variable  z  is  a  term 

3.  if  M  and  N  are  terms,  then  (Af  N)  is  a  term  (application) 

4.  if  M  and  N  are  terms,  then  [z  :  M]N  is  a  term  (abstraction) 

5.  if  M  and  N  are  terms,  then  (x  :  M)N  is  a  term  (product).  As  previously,  we  denote  by  = 
the  relation  of  A/3-conversion  between  terms. 


0.2.2  Contexts 

Contexts  are  ordered  lists  of  bindings  of  the  form  z  :  M,  where  z  is  a  variable  and  M  is  a 
term.  Not  every  context  is  valid.  The  following  rules  define  the  valid  contexts. 

the  empty  context  is  valid 

r  is  valid  F  H  Af  :  Prop  x  is  not  bound  in  F 
r,z  ;  M  is  valid 

r  is  valid  F  K  Af  :  Type(i)  z  is  not  bound  in  F 
r,z  :  M  is  valid 

These  rules  are  defined  mutually  recursively  with  the  following  type  inference  rules,  which 
define  the  judgements  T  I-  Af  :  Al,  to  be  read  “the  term  M  is  of  type  N  in  context  F”. 
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6.2.3  Type  Inference  Rules 


r  is  valid 

r  I-  Prop  :  Tifpe(O) 

_ r  is  valid _ 

ri-T»pe(i):Type(i+l) 
r  h  M  :  Type(i) 
r  h  Af  :  Type(i  +  1) 
r  is  valid  x  :  M  6  T 

fTTTw 

T,x.M\-N-P 
ri-  [i:Af]lV:(x:M)P 
r,  I  :  Af  I-  JV  :  Prop 
r  I-  (i :  M)N  :  Prop 
r  h  A/  :  Type{i)  V,x-.M\-N  ■.  Typeji) 
r  I-  (i  :  M)N  :  Type(max(i,j)) 


(*) 


(coerce) 


ri-M:Prop  r,x:Mt-N:Type(i) 

T^(x-.M)N  ■.  Type{i) 

Ti-M:(x:Q)P  F  H  JV  :  Q  =  R 

rt-(Af  N):  IN/xlP 

The  only  serious  departure  from  (37]  is  the  addition  of  rule  (•),  which  was  inadvertently 
ommitted,  and  of  rule  (**),  which  is  needed  to  prove  the  following  lemma. 


Lemma.  If  T  h  Af  :  JV  is  derivable,  then  either  T  i-  N  :  Prop  is  derivable,  in  which  case  we 
say  that  Af  is  a  proof  of  proposition  N  in  context  T,  or  else  T  h  N  i  Type(i)  is  derivable  for 
some  i  >  0,  in  which  case  we  say  that  Af  is  a  realization  of  specification  N  in  context  T. 


This  lemma  shows  that  there  are  two  distinct  kinds  of  types  in  the  system,  in  the  sense  of 
terms  appearing  to  the  right  of  a  colon  in  a  derivable  sequent. 


0.2.4  A  digressicHi  on  types,  specifications  and  propositions 

We  say  that  term  T  is  a  type  (in  a  given  context)  if  it  is  either  a  specification  or  a  proposition. 
We  remark  that  the  rules  for  context  formation  are  that  variables  may  be  bound  only  to 
types,  not  to  arbitrary  terms.  Since  these  are  the  two  kinds  of  bindings,  we  shall  speak  of 
the  constants  Prop  and  Type{i)  of  the  system  as  the  kinds,  following  the  MacQueen-Sethi 
terminology[112|.  Specifications  are  the  natural  generalization  of  the  notion  of  types  in  the 
sense  of  Church’s  theory  of  types.  They  are  more  general  in  that  the  product  formation 
operator  is  dependent,  like  in  Martin-Lof’s  theory  of  types  [122].  When  z  does  not  occur 
in  N,  the  specification  (z  :  Af)Af  may  be  abbreviated  in  the  more  traditional  M  -f  N.  For 
instance,  the  specification  of  a  predicate  over  type  T  would  heT  Prop.  Similarly,  when 
P  is  a  proposition  and  is  a  proposition  in  which  x  does  not  occur,  we  may  abbreviate 
(z  :  P)Q  in  P  Q.  Also,  we  use  Vz  :  Af  •  f*  for  (z  :  M)P  when  Af  is  a  specification 
and  P  is  a  proposition.  When  P  is  a  proposition  and  Af  is  a  specification,  the  specification 


(x  ;  P)M  has  realizations  depending  on  the  proof  of  P.  It  is  not  usual  to  consider  such  types 
in  ordinary  lo(pc.  However,  they  are  needed  to  formalize  constmctive  mathematics  in  Bishop’s 
sense,  where  evidence  of  properties  is  taken  as  computationally  meaningful.  Here  evidence 
(of  properties)  is  internalized  as  proo&  (of  propoutions).  This  is  in  contrast  to  the  formalism 
LF  (logical  framework)  developed  at  the  University  of  Edinburgh  [69],  where  judgements  (as 
opposed  to  propositions)  are  types.  We  refer  to  [123]  for  a  philosophical  discussion  of  the 
issues  invcdved. 

Remark  that  the  only  specifications  P  which  are  typable  of  type  Type(O)  in  the  empty  context 
are  (convertible  to)  the  terms  of  the  form: 

(xi  :  :  Mj)Prop. 

The  types  of  the  system  are  more  general  than  just  specifications,  since  we  use  the  paradigm 
of  propositions  as  types  [72].  More  precisely,  the  formulation  of  the  logical  part  of  the  system 
in  natural  deduction  style  allows  the  use  of  k-abstraction  for  the  dual  purpose  of  building 
functional  realizations  as  well  as  building  proofs  under  hypotheses. 

The  inference  system  is  completed  by  type  equality  rules,  as  follows. 

6.2.5  Type  Equality  Rules 

r  i-  M  :  JV  r  I-  P  :  Prop  N  =  P 
T\-  M:P 

ThM-.N  ri-P;T»pe(»)  N  =  P 
Tt-M-.P 

Note  that  we  allow  Vconversion  only  for  types,  not  for  other  terms. 

Remark  1.  It  might  seem  that  the  previous  lemma  allows  to  simplify  the  two  rules  in  one 
simpler  rule: 

Th  M:N  N  sP 
r\-M:P 

However,  we  are  careful  to  specify  that  P  must  be  itself  well- typed,  since  otherwise  we  might 
introduce  non-typable  terms  as  types  of  other  terms.  Indeed,  we  need  this  restriction  in  order 
to  preserve  the  validity  of  the  lemma  above. 

Remsmk  2.  The  types  equality  rules  allow  us  to  replace  the  rule  of  application  by  the  simpler: 

T\- M  ■.(x-.Q)P  T\-N:Q 
Th(M  N):  [lV/i]P 

Indeed,  this  is  the  way  it  was  formulated  originally  [37].  However,  our  formulation  is  more 
consistent  from  the  point  of  view  of  the  meaning  of  the  meta-variables  in  the  rules,  since 
several  occurrences  of  the  same  meta-variable  should  mean  that  the  corresponding  term  or 
context  is  shared,  and  this  is  not  the  case  for  Q  above. 

The  system  GCC  is  quite  powerful.  It  extends  strictly  Girard’s  higher  order  system  P".  It 
permits  to  formalize  completely  the  Principia’s,  including  the  so-called  “typical  ambiguity” 
feature.  However,  it  is  not  very  convenient  to  use,  since  we  have  to  explicitly  manipulate 
the  universe  hierarchy.  Furthermore,  there  is  no  unicity  of  types  (even  modulo  lambda- 
conversion),  because  of  rule  (coerce).  This  difficulty  may  be  solved  by  manipulating  the 
integer  arguments  to  the  Type  constant  as  symbolic  expressions.  This  is  explained  in  [83]. 
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